Skip to main content
D
douglas_4674
Participating Frequently
February 18, 2025
Question

Scheduled Tasks fail after updating SSL certificate

  • February 18, 2025
  • 2 replies
  • 742 views

After updating my SSL certificate, my website runs correctly,  returning the new certificate information.

 

However, I cannot get my scheduled tasks to run via CF Scheduler. Errors are like:

 

"Information","DefaultQuartzScheduler_Worker-2","02/18/25","13:29:37","","Task DEFAULT.CHECK FOR COLDFUSION UPDATES triggered."
"Error","DefaultQuartzScheduler_Worker-2","02/18/25","13:29:37","","Connection Failure: Status code unavailable"

 

My java path is /etc/alternatives/jre_17/

 

How do I get the scheduled tasks to use the new SSL cert?

 

 

 

 

    2 replies

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    February 18, 2025

    More questions than answers:

     

    You say, "My java path is /etc/alternatives/jre_17".  Do you mean the cf admin Java home setting points to that?

     

    And what version of cf are you running? Only cf2023 supports Java 17. 

     

    (Less important, do you have a reason for choosing a jre vs a jdk?) 

     

    As for the cfhttp failing with that "unknown protocol: https", that's not at all a common cf error. Besides the jvm arg you list, have you added others, especially related to http?

     

    And you say this started when you "updated my main certificate". Do you mean you imported it with keytool, into that cacerts you name? Can you confirm there are MORE certs than that? Why didn't you import that new cert into the cacerts within the lib/security folder of the jvm that Cf is pointing to in the admin Java home field? 

    /Charlie (troubleshooter, carehart. org)
    D
    douglas_4674Author
    Participating Frequently
    February 18, 2025

    Lots of questions that I'm not even sure I can answer!  This really should be simple.  I renewed the SSL certificate for my website.  

     

    Common Name (CN): lookup.ncmb.circ4.dcn (internal work server) . 
    Issued OnThursday, December 5, 2024 at 4:10:33 PM
    Expires OnSaturday, December 5, 2026 at 4:10:33 PM
     
    I imported that into the cacert that CF is using which is: Djavax.net.ssl.trustStore=/opt/ncmb/cacerts
     
    Using keytool, the certificate shows in the store. The intermediate and root are still present.  They didn't expire and don't need update.
     

    [root@lookup scripts]# keytool -list -v -keystore /opt/ncmb/cacerts -alias lookup -storepass changeit
    Alias name: lookup
    Creation date: Jan 22, 2025
    Entry type: trustedCertEntry

    Owner: EMAILADDRESS=ncmbXXX@ncmb.uscourts.gov, CN=lookup.ncmb.circ4.dcn, OU=ncmb, O=Administrative Office of the U.S. Courts, L=Washington, ST=DC, C=US
    Issuer: CN=US Courts East Certificate Authority, DC=ADU, DC=DCN
    Serial number: 6200009bf5ca16fb7faf1bad4e000000009bf5
    Valid from: Thu Dec 05 16:10:33 EST 2024 until: Sat Dec 05 16:10:33 EST 2026

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    February 19, 2025

    Well, if was simple, there'd be no need for the questions. The first four remain, and should not be difficult for you to answer. If so, please clarify why that's so.

     

    Or you can wait for ideas from others, of course. 

    /Charlie (troubleshooter, carehart. org)
    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    February 18, 2025

    You probably need to import the certificate chain (root and intermediate certificates) into the cacerts truststore for the JVM that CF is using. I can't provide much more information now, but will be able to later today, if needed.

     

    Dave Watts, Eidolon LLC
    D
    douglas_4674Author
    Participating Frequently
    February 18, 2025

    My "JVM Arguments" has "-Djavax.net.ssl.trustStore=/opt/ncmb/cacerts"  In that cacerts, I have the entries listed below that include the root and intermediate certs.  This worked until I updated my main certificate 

     

    [root@lookup bin]# keytool -list -v -keystore /opt/ncmb/cacerts -storepass changeit | grep -E "uscourts| lookup"
    Alias name: lookup
    Owner: EMAILADDRESS=ncmbml_IT@ncmb.uscourts.gov, CN=lookup.ncmb.circ4.dcn, OU=ncmb, O=Administrative Office of the U.S. Courts, L=Washington, ST=DC, C=US
    DNSName: lookup.ncmb.circ4.dcn
    Alias name: lookup.ncmb.circ4.dcn
    Owner: EMAILADDRESS=ncmbml_IT@ncmb.uscourts.gov, CN=lookup.ncmb.circ4.dcn, OU=ncmb, O=Administrative Office of the U.S. Courts, L=Washington, ST=DC, C=US
    DNSName: lookup.ncmb.circ4.dcn
    Alias name: uscourtseastcertificateauthority
    Alias name: uscourtsprivatesslca
    Alias name: uscourtsrootca
    Alias name: uscourtsrootcertificateauthority
    Alias name: uscourtswestcertificateauthority

     

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices