cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Web service error

RobinxH
New Here ,
Aug 31, 2011 Aug 31, 2011

Hi,

I'm trying to connect to a remote webservice but keep getting:

Error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

I've tried using the 'keytool' to import the ssl certificate into 'cacerts' and 'truststore' and check they have imported ok. Restarted Coldfusion.

But I'm still getting the error when trying to connect to the service when I invoke the webservice in Coldfusion.  When I imported the certificate I gave it an alias, do I need to refer to this alias somewhere when I do the webservice call?

Can anyone think of anything else I can do to get this working?

Any help/ pointers much appreciated.

Thanks,

Robin.

1.9K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
12Robots
Advocate ,
Aug 31, 2011 Aug 31, 2011

In my experience, this error is usually caused by one of two things:

  1. The admin failed to install the cert into the cacarts repo or they installed it into the wrong one

  2. ColdFusion Enterprise and ColdFusion Developer edition (For CF8 and 9 both, I believe) have an issue with the built-in BSafe CryptoJ Library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some work arounds if this is the case.

First, I would explore the possibility that you are importing into the wrong cert repo. It can be hard to tell which repo is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.

If you are 100% positive that you are putting the cert into the correct cacert file (and that you are adding the entire cert chain) then you are probably running into the BSafe bug that I mentioned above. The work around for this is to remove the BSafe provider from the available JCA/JCE providers (Note, this negates ColdFusion's FIPS-140 compliance, so if you depend on that then you may need to look into another option).

<!--- Get the Security class --->

<cfset objSecurity = createObject("java", "java.security.Security") />

<!--- Store the Jsafe provider so you can put it back --->

<cfset storeProvider = objSecurity.getProvider("JsafeJCE") />

<!--- Remove the provider --->

<!---<cfset objSecurity.removeProvider("JsafeJCE") />--->

<!--- Make your call here --->

<!--- Put the provider back where you found it (in the first position) --->

<!---<cfset objSecurity.insertProviderAt(storeProvider, 1) />--->

I hope this helps
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
RobinxH
New Here ,
Aug 31, 2011 Aug 31, 2011
In Response To 12Robots

Many thanks for such an extensive reply.

I'm currently trying to get this working locally on my pc using the developer edition of CF9 (but also had the same problem on the server).  The file locations are the same.

I imported the certificate using:

Keytool -import -alias My-cert -file MyCert.der -keystore C:\ColdFusion9\runtime\jre\lib\security\cacerts -storepass changeIt

and checked it with:

keytool -list -v -keystore C:\ColdFusion9\runtime\jre\lib\security\cacerts -alias My-cert -storepass changeIt

and it listed the certificate (also used the above to import to trustStore (C:\ColdFusion9\runtime\lib\trustStore)).

My java home settings is:                                      C:\ColdFusion9\runtime\jre

I tried the code you posted, literally just pasted it straight into the cfm page and put the webservice call where you said and uncommented the remove and put back provider... but still getting the same error.

Is there anything else you think I may be doing wrong?

Thanks,
Robin.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
12Robots
Advocate ,
Aug 31, 2011 Aug 31, 2011
LATEST
In Response To RobinxH

If running that code did not work then I have to believe that your JVM is using a different CA cert file or that you are not loading the entire cert chain and that you need to.

Sometimes the entire cert chain is needed.  For example, when you browse to the service in the browser and inspect the certificate you may see:

-- CA Cert

     --- Intermediate Cert

          --- Website Cert

If you are only loading the Website cert into your cacert file and the intermediate or CA certs are not recognized by the JVM then you will get the same error. You would need to load all of them

Also, consider searching your hard disk for cacerts and see what you find. I have seen situations where I had several cacerts files and for some reason the JVM was using one that I did not expect. You may need to load them into multiple cacerts before you find the right one.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices