Scheduled Tasks fail after updating SSL certificate

My "JVM Arguments" has "-Djavax.net.ssl.trustStore=/opt/ncmb/cacerts"  In that cacerts, I have the entries listed below that include the root and intermediate certs.  This worked until I updated my main certificate 

[root@lookup bin]# keytool -list -v -keystore /opt/ncmb/cacerts -storepass changeit | grep -E "uscourts| lookup"
Alias name: lookup
Owner: EMAILADDRESS=ncmbml_IT@ncmb.uscourts.gov, CN=lookup.ncmb.circ4.dcn, OU=ncmb, O=Administrative Office of the U.S. Courts, L=Washington, ST=DC, C=US
DNSName: lookup.ncmb.circ4.dcn
Alias name: lookup.ncmb.circ4.dcn
Owner: EMAILADDRESS=ncmbml_IT@ncmb.uscourts.gov, CN=lookup.ncmb.circ4.dcn, OU=ncmb, O=Administrative Office of the U.S. Courts, L=Washington, ST=DC, C=US
DNSName: lookup.ncmb.circ4.dcn
Alias name: uscourtseastcertificateauthority
Alias name: uscourtsprivatesslca
Alias name: uscourtsrootca
Alias name: uscourtsrootcertificateauthority
Alias name: uscourtswestcertificateauthority

A simple script like ...

<cfhttp result="result" method="GET" charset="utf-8" url="https://www.google.com/">
<cfhttpparam name="q" type="url" value="cfml">
</cfhttp>
<cfdump var="#result#">

fails with ...

Lots of questions that I'm not even sure I can answer!  This really should be simple.  I renewed the SSL certificate for my website.  

Well, if was simple, there'd be no need for the questions. The first four remain, and should not be difficult for you to answer. If so, please clarify why that's so.

Or you can wait for ideas from others, of course. 

Thanks for taking the time to assist me!  When I say "should be simple", I mean that renewing an SSL certificate for a web server is a simple and routine tasks.  I wish adding that certificate into CF Scheduler was equally simple.

• ".  Do you mean the cf admin Java home setting points to that? My "Java Virtual Machine Path" points to /usr.  
  • Details on that ... 
    [root@lookup ~]# ll /usr/bin/java
    lrwxrwxrwx 1 root root 22 Jan 13 14:24 /usr/bin/java -> /etc/alternatives/java
    [root@lookup ~]# ll /etc/alternatives/java
    lrwxrwxrwx 1 root root 62 Jan 24 01:15 /etc/alternatives/java -> /usr/lib/jvm/java-17-openjdk-17.0.14.0.7-2.el9.x86_64/bin/java
    
• And what version of cf are you running? Only cf2023 supports Java 17:  CF 2021, Update 13.  I've been running that for months with Java 17.  
• hy didn't you import that new cert into the cacerts within the lib/security folder?  Because I've set "-Djavax.net.ssl.trustStore=/opt/ncmb/cacerts" in the "JVM Arguments"
• (Less important, do you have a reason for choosing a jre vs a jdk?)  No reason, tbh I don't really even understand the difference
• Besides the jvm arg you list, have you added others, especially related to http? I'm sorry.  I don't understand this question.  "added other" what?
• Do you mean you imported it with keytool, into that cacerts you name? Yes
• Can you confirm there are MORE certs than that? There are 143
  • [root@lookup ~]# keytool -list -v -keystore /opt/ncmb/cacerts -storepass changeit | grep "Alias name"|wc -l
    143
    

Douglas:

• You're not adding the cert to cf scheduler. You're adding to the jvm cf points to, because the cf scheduler (and cfhttp) use that to run. If some url requires a special cert, then you need to add it to the jvm cf uses. Just clarifying that technicality
• And yes, normally one would add it to the cacerts of that jvm. But you've attempted to override that with the jvm arg, -Djavax.net.ssl.trustStore
• You say you've been running cf2021 with Java 17 for months. OK. I'm just clarifying that's not supported by Adobe. Cf2021 supported only Java 11. There's no telling what odd things can happen 
• You feel that the only change before things went wrong was that you added a new cert. But if your test of a cfhttp to Google was working BEFORE that change, I can't see at all how that simple action would break such a call
• As for what other jvm args I mean, I'm referring to wherever you put that - Djavax.net.ssl.trustStore. Did you add any other non-standard jvm args in that place? Or did you somehow inherit this configuration of things from someone else?

Going back to your original task, yes it should be simple to resolve. I'm sensing that things aren't working because you've done things out of the norm. And I get it: you feel it worked before so should work still. But nothing about cf breaks simply because you add a cert to the keystore. If that's truly ALL that you did, I'd find that surprising. We might more readily find in a session together that there's more to this matter than meets the eye.

But here's one more thing you could pursue on your own if you prefer: look into adding the jvm arg (-Djavax.net.debug=all) which causes the jvm to log debugging info about ssl/tls connection processing (which happens when a cfhttp or scheduled task runs). This can generate a LOT of log info for each attempted connection, so it's easier when you can know your request is the only one, running in a given few seconds. 

You can find more details by searching the web or ai for that jvm arg (no need to refer to or seek coldfusion references specifically, as the issue is again not about cf but about that underlying https connection attempt via Java). The logging will create several dozen lines for each connection attempt. Please don't just dump them here and ask for help making sense of them. If anything, winnow them down to a specific line or two in error. Or again all this is something I could help with directly.

Finally, are you working on some production server that's having this issue? If so, have you attempted all the same configuration in a local (or remote) dev environment. (Note that CF is free for development use. You could implement it either in the same OS or another. whether on a real machine or a VM.) Sometimes doing that helps you see more clearly how and when things went from working to not working. I can help do that, which can take just several minutes.

Or perhaps you'll find something based on what's been shared or that someone else may offer here. 

I'm not sure why you're using a truststore other than the one that's part of the JVM used by CF, but I don't think it matters. I think the problem is that you still need to install the certificate chain for this new certificate. When you renew a certificate, the chain can in theory have a different root and intermediate certificates. If that happens, your client (CF) likely won't have those in its truststore.

Dave, what you say is true, WRT the chain for the cert in question...but note that Douglas had shared yesterday that even a cfhttp call to Google was failing. That's why I've focused on the seeming broader impact of whatever has been done (or not done).

But let's see what we may learn next, and of course all ideas are welcome and might give a needed clue to Douglas. 

A bit more info

[root@lookup ssl.crt]# keytool -import -v -alias lookup -file lookup.ncmb.circ4.dcn.crt -keystore /opt/ncmb/cacerts -storepass changeit
keytool error: java.lang.Exception: Certificate not imported, alias <lookup> already exists

I gather you're offering this info to confirm you'd indeed already added that cert. It's not as reliable as the cert listing you showed previously. Feel free to elaborate if you're meaning something else in offering this.