peer not authenticated error CFHTTP

Report · May 01, 2013

Hi

I'm trying to call a web page using cfhttp. The url works fine and returns XML when called directly from the browser (any browser) but fails with the following error message when called from a .cfm file using cfhttp:

struct

Charset

[empty string]

ErrorDetail

I/O Exception: peer not authenticated

Filecontent

Connection Failure

Header

[empty string]

Mimetype

Unable to determine MIME type of file.

Responseheader

struct [empty]

Statuscode

Connection Failure. Status code unavailable.

Text

YES

Symptoms:

It's a secured url (https) so I've attempted using the port 443 (which I verified with the vendor) and a plethora of other combinations of parameters.

I was reviewing past errors like this via Google searches on different CF forums where they stated that the solution was either a bug fix from Adobe or that you needed to download the security certificate onto your own server, but all of those references were to CF9, and I'm running CF10. I've been able to use CFHTTP on other SSL protected sites and the response comes back just fine, just this particular URL. Why would this URL fail with this message and not others? And why would the url display without error from a call from a browser but not CF10?

I was also able to make the call to the page successfully using the command line tool curl.

What do I need to do with ColdFusion10 to get my CFHTTP requests to work?

Thanks in advance,

Rich

Report · May 01, 2013

If the certificates from the certificate chain are not listed as trusted in the Java key store, then the request will fail. This is the way the JVM works (which is where CF is running). If you are using a self-signed certificate or a certificate from a certificate authority that is not trusted by the JVM, then it will fail, every time.

There was also a bug in CF9 Enterprise which would sometimes result in a certificate not being accepted, but I believe that has been fixed in CF10. It was acutally a problem with a 3rd party crypto library that was included in CF enterprise.

So, chances are that you are goign to need to imort one or more certificates into the JVM keystore. You said you've already found sintructions on how to do that, so I won't rehash. If it is a self-signed cert, you will need to import that. If it is a cert with a CA parent, then you should just be able to install the CA root cert.

Hope this helps.

Jason

Report · May 01, 2013

Jason

Thanks for your response.

If you happen to have any current docs/instructions on how to import the certificates into the JVM keystore I'd be very grateful. Adobe has some docs published in the CF10 docs but they still have CF9 references all over the place, rather concerning seeing as CF10 replaced JRUN with Tomcat.

Thanks so much for your help.

Rich

Report · May 01, 2013

The instructions should be the same. It is happening at the JVM level, which is below Tomcat or JRun.

The only difference, possibly, would be where the cacerts file is located. I do not have a CF10 install to check against.

This forum post seems to have CF10 specific instructions: http://forums.adobe.com/message/4246821

Jason

Report · May 01, 2013

Hi Jason

I've tried to follow the instructions in the link you provided above, as well as the instructions in this link: http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffc.html

but both are very unclear and reference folders that do not exist on the CF10 installation.

If anyone has any other resources for this I'd be extremely grateful.

Thanks in advance,

Rich

Report · May 01, 2013

Sorry for the lack of clarification, I'm on a Mac, not Windows.

Thanks again,

Rich

Report · May 01, 2013

That's COMPLETELY different then.

On a Mac you are not using a JVM that comes with CF, you are using the one built into the operating system.

On the Mac you will find the cacerts file at /Library/Java/Home/lib/security

So go to that directory and type in:

sudo keytool -importcert -file /path/to/cert/file -alias anyName -keystore cacerts -storepass changeit

Then restart CF and try it again.

jason

Report · May 09, 2013

So how'd it go?

Report · May 09, 2013

sorry, got busy working with clients. Your advice was spot on, thanks so much for your help.

Report · Feb 28, 2015

I'm having the same issue with CF9 can you point me the hot fix for this?

Report · Aug 04, 2020

I realize this is a very old discussion, but since it still comes up near the top of a search for the "peer not authenticated" error in CF, I wanted to share that for most people, the simple solution is to update the JVM that CF uses. (More in a moment on how to do that.)

The cause of the problem is generally that the service BEING CALLED has made a change that requires a later version of TLS or SSL (and perhaps a change to supported algorithms). Later JVMs offer that, while earlier ones did not. Since CF runs atop the JVM, it's the calls out of CF (va cfhttp, cfldap, cfmail, etc) that "suddenly" start to fail.

And sure, sometimes a cert update is the answer (and even then, you have to do it carefully), but it's not always needed. And updating the JVM also gives other benefits, in terms of bug fixes, etc.

The only challenge is knowing what JVM your version of CF will support. (But even people still running on an old CF version have found that updating the JVM CF uses has solved this problem and not caused any others.)

I discuss all this in a 2019 post:

https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/

Hope that may help someone.

/Charlie (troubleshooter, carehart.org)

peer not authenticated error CFHTTP

1 Correct answer