• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

peer not authenticated error CFHTTP

Engaged ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

Hi

I'm trying to call a web page using cfhttp. The url works fine and returns XML when called directly from the browser (any browser) but fails with the following error message when called from a .cfm file using cfhttp:

struct
Charset[empty string]
ErrorDetailI/O Exception: peer not authenticated
FilecontentConnection Failure
Header[empty string]
MimetypeUnable to determine MIME type of file.
Responseheader
struct [empty]
StatuscodeConnection Failure. Status code unavailable.
TextYES

Symptoms:

It's a secured url (https) so I've attempted using the port 443 (which I verified with the vendor) and a plethora of other combinations of parameters.

I was reviewing past errors like this via Google searches on different CF forums where they stated that the solution was either a bug fix from Adobe or that you needed to download the security certificate onto your own server, but all of those references were to CF9, and I'm running CF10. I've been able to use CFHTTP on other SSL protected sites and the response comes back just fine, just this particular URL. Why would this URL fail with this message and not others? And why would the url display without error from a call from a browser but not CF10?

I was also able to make the call to the page successfully using the command line tool curl.

What do I need to do with ColdFusion10 to get my CFHTTP requests to work?

Thanks in advance,

Rich

TOPICS
Security

Views

12.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Advocate , May 09, 2013 May 09, 2013

So how'd it go?

Votes

Translate

Translate
Advocate ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

If the certificates from the certificate chain are not listed as trusted in the Java key store, then the request will fail. This is the way the JVM works (which is where CF is running).  If you are using a self-signed certificate or a certificate from a certificate authority that is not trusted by the JVM, then it will fail, every time.

There was also a bug in CF9 Enterprise which would sometimes result in a certificate not being accepted, but I believe that has been fixed in CF10. It was acutally a problem with a 3rd party crypto library that was included in CF enterprise.

So, chances are that you are goign to need to imort one or more certificates into the JVM keystore. You said you've already found sintructions on how to do that, so I won't rehash.  If it is a self-signed cert, you will need to import that.  If it is a cert with a CA parent, then you should just be able to install the CA root cert.

Hope this helps.

Jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

Jason

Thanks for your response.

If you happen to have any current docs/instructions on how to import the certificates into the JVM keystore I'd be very grateful. Adobe has some docs published in the CF10 docs but they still have CF9 references all over the place, rather concerning seeing as CF10 replaced JRUN with Tomcat.

Thanks so much for your help.

Rich

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

The instructions should be the same. It is happening at the JVM level, which is below Tomcat or JRun.

The only difference, possibly, would be where the cacerts file is located. I do not have a CF10 install to check against.

This forum post seems to have CF10 specific instructions: http://forums.adobe.com/message/4246821

Jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

Hi Jason

I've tried to follow the instructions in the link you provided above, as well as the instructions in this link: http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffc.html

but both are very unclear and reference folders that do not exist on the CF10 installation.

If anyone has any other resources for this I'd be extremely grateful.

Thanks in advance,

Rich

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

Sorry for the lack of clarification, I'm on a Mac, not Windows.

Thanks again,

Rich

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
May 01, 2013 May 01, 2013

Copy link to clipboard

Copied

That's COMPLETELY different then.

On a Mac you are not using a JVM that comes with CF, you are using the one built into the operating system.

On the Mac you will find the cacerts file at /Library/Java/Home/lib/security

So go to that directory and type in:

sudo keytool -importcert -file /path/to/cert/file -alias anyName -keystore cacerts -storepass changeit

Then restart CF and try it again.

jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
May 09, 2013 May 09, 2013

Copy link to clipboard

Copied

So how'd it go?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
May 09, 2013 May 09, 2013

Copy link to clipboard

Copied

sorry, got busy working with clients. Your advice was spot on, thanks so much for your help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 28, 2015 Feb 28, 2015

Copy link to clipboard

Copied

I'm having the same issue with CF9 can you point me the hot fix for this?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 04, 2020 Aug 04, 2020

Copy link to clipboard

Copied

LATEST

I realize this is a very old discussion, but since it still comes up near the top of a search for the "peer not authenticated" error in CF, I wanted to share that for most people, the simple solution is to update the JVM that CF uses. (More in a moment on how to do that.)

 

The cause of the problem is generally that the service BEING CALLED has made a change that requires a later version of TLS or SSL (and perhaps a change to supported algorithms). Later JVMs offer that, while earlier ones did not. Since CF runs atop the JVM, it's the calls out of CF (va cfhttp, cfldap, cfmail, etc) that "suddenly" start to fail.

 

And sure, sometimes a cert update is the answer (and even then, you have to do it carefully), but it's not always needed. And updating the JVM also gives other benefits, in terms of bug fixes, etc.

 

The only challenge is knowing what JVM your version of CF will support. (But even people still running on an old CF version have found that updating the JVM CF uses has solved this problem and not caused any others.)

 

I discuss all this in a 2019 post:

https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/

 

Hope that may help someone.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation