Highlighted

CF2016: Cannot download updates in CF Administrator

New Here ,
Aug 07, 2020

Copy link to clipboard

Copied

Hello,

 

We are unable to download updates for CF2016 (specifically, update 16) to both our dev and producation servers through the ColdFusion Administrator. (I can download the file manually.) This had been working, but two things have changed: 1) the CF service is now running with a dedicated, non-admin account, 2) we applied the ColdFusion (2016 release) Lockdown Guide.

Which leads to two questions:

  1. Must the CF service be running with an admin account for the download through CF Admin to work? 
  2. Are you aware of anything we might have changed when applying the lockdown guide that would have caused this to stop working? (I've reviewed our configurations, and tried restoring some to the original settings, without success.)

Thanks for any information or ideas.

Views

35

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CF2016: Cannot download updates in CF Administrator

New Here ,
Aug 07, 2020

Copy link to clipboard

Copied

Hello,

 

We are unable to download updates for CF2016 (specifically, update 16) to both our dev and producation servers through the ColdFusion Administrator. (I can download the file manually.) This had been working, but two things have changed: 1) the CF service is now running with a dedicated, non-admin account, 2) we applied the ColdFusion (2016 release) Lockdown Guide.

Which leads to two questions:

  1. Must the CF service be running with an admin account for the download through CF Admin to work? 
  2. Are you aware of anything we might have changed when applying the lockdown guide that would have caused this to stop working? (I've reviewed our configurations, and tried restoring some to the original settings, without success.)

Thanks for any information or ideas.

Views

36

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 07, 2020 0
Adobe Community Professional ,
Aug 07, 2020

Copy link to clipboard

Copied

Judis, when you say you can't download, can you confirm if you mean the button doesn't work? or do you mean that the download happens but fails? Each has different reasons--and neither has to do with how the CF service is running.

 

First, what CF update are you on now? If it's before CF2016 update 11, then you will find that the update downloads but then "fails to verify". You can fix that by doing update 11 first, as discussed in each of the update technotes since then.

 

Second, if you can't even get it to download, do you see 3 tabs on the CF Admin page for the Server updates? If you do not, then that's a different problem. You (or someone) changed the CF Admin setting for "default script src" (on the main "Settings" page) to be something other than the default. the lockdown guide tells you to do that--but then you need to also configure the built-in web server in CF to use that modified path.

 

The quick solution for that is to note what it is, change it back to the default (see the lockdown guide), then get the update, and when finished change it back to what you first found--because you or someone may have changed your web server to set a virtual directory/alias of that name as well, and now THAT would break if you don't set it back.

 

Finally, if you were to say the update downloads, but then it's the "install" step that fails, that COULD be because you are running the CF service as a limited user. It's unable to stop and start the CF service. You could change the service back to running as "local system", and then do the update (and change it back later, to meet the security intent of having changed it from local system). You could also instead run the update from the command line, among other options. I'm trying to give you quick solutions that may help you (and others, finding this in the future).

 

One of the problems with the lockdown guide (which I have long lamented) is that if you "do a bunch of stuff" and then restart CF, you have changed a lot of things that now "may not work", and you may not know WHICH thing broke whatever doesn't work. And you may not find out for days or weeks--either because you don't restart CF for some time after the changes, or you try things (like the CF updates) well after having made the changes and restarted CF.

 

I know that's all a lot to take in, but it may have your solution. If not, I can promise that someone with experience doing these things (liek myself and others here) could readily find and fix whatever is amiss, remotely via screenshare (on a consulting basis). I list such consultants on my site, at https://cf411.com/cftrouble.

 

But we (all) can continue back and forth here as long as it makes sense for you.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 07, 2020 0
New Here ,
Aug 07, 2020

Copy link to clipboard

Copied

Thanks for your quick reply, Charlie.

Starting with the winning question regarding the Default ScriptSrc Directory: You nailed it! I did not see those tabs (indeed, had completely forgotten about them). I reverted to the original directory, and the download began. We (ok, I) did indeed create a virtual directory on the webserver. I tried unsuccessfully to follow the instructions in section 4.1 to create an alias for the built-in web server. We’re running on Windows, and the example in the Lockdown Guide appears to be for Linux. Do you have a template for Windows that I can follow? I’ll keep trying, but a working model would be fabulous.

These are not so important any longer, but in the interest of completeness:

* Can’t download – it appears the button does not work. But, we get this message in the http.log:
"Information","http-nio-8500-exec-4","08/07/20","14:10:26","","Starting HTTP request {URL='https://www.adobe.com/go/coldfusion-updates', method='get'}"
"Information","http-nio-8500-exec-4","08/07/20","14:10:27","","HTTP request completed {Status Code=200 ,Time taken=517 ms}"
* We’re on CF2016 Update 15. Adobe support confirmed the downloader for 16 is working.

Best,
Judi

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 07, 2020 0
Adobe Community Professional ,
Aug 08, 2020

Copy link to clipboard

Copied

Great to hear that it helped, Judi. As for the proper way to set the alias, there is a different way to use than you are using.

 

First, the problem is that your reference to this being covered in section "4.1" tells me that you are looking at the CF2016 lockdown guide, rather then the 2018 guide (even if the filename of the PDF you see says 2018, look at the first page of the pdf). It was the 2016 guide which discussed this in its section 4.1. The 2018 guide is quite different (with 4.1 covering another subject).

 

Second, the issue with what you found in the 2016 lockdown guide is that it was written for the version of Tomcat that CF2016 ran on originally (Tomcat 8 or 7), whereas CF2018 (or any CF running on a Tomcat 8.5 or above) needs to use a different approach (because Tomcat changed).

 

Here's some good news, though. Pete Freitag (who wrote the lockdown guide) has a blog post showing the correct way to do it going forward:

https://www.petefreitag.com/item/867.cfm

 

As for why there's no discussion of either approach in the CF2018 lockdown guide, that's a good question. Let's see if Pete may see this and share a thought (or maybe someone from Adobe will).

 

Let us know if that gets you going.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 08, 2020 0
Adobe Community Professional ,
Aug 08, 2020

Copy link to clipboard

Copied

judis93109396: "We are unable to download updates for CF2016 (specifically, update 16) to both our dev and producation servers through the ColdFusion Administrator. "

 

What do you see when you go to the Server Update page in the ColdFusion Administrator? This is still unclear to me. If it's simply that the download button is invisible, you will see it when you press on TAB on the keyboard.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 08, 2020 0