We are unable to download updates for CF2016 (specifically, update 16) to both our dev and producation servers through the ColdFusion Administrator. (I can download the file manually.) This had been working, but two things have changed: 1) the CF service is now running with a dedicated, non-admin account, 2) we applied the ColdFusion (2016 release) Lockdown Guide.
Which leads to two questions:
Thanks for any information or ideas.
Judis, when you say you can't download, can you confirm if you mean the button doesn't work? or do you mean that the download happens but fails? Each has different reasons--and neither has to do with how the CF service is running.
First, what CF update are you on now? If it's before CF2016 update 11, then you will find that the update downloads but then "fails to verify". You can fix that by doing update 11 first, as discussed in each of the update technotes since then.
Second, if you can't even get it to download, do you see 3 tabs on the CF Admin page for the Server updates? If you do not, then that's a different problem. You (or someone) changed the CF Admin setting for "default script src" (on the main "Settings" page) to be something other than the default. the lockdown guide tells you to do that--but then you need to also configure the built-in web server in CF to use that modified path.
The quick solution for that is to note what it is, change it back to the default (see the lockdown guide), then get the update, and when finished change it back to what you first found--because you or someone may have changed your web server to set a virtual directory/alias of that name as well, and now THAT would break if you don't set it back.
Finally, if you were to say the update downloads, but then it's the "install" step that fails, that COULD be because you are running the CF service as a limited user. It's unable to stop and start the CF service. You could change the service back to running as "local system", and then do the update (and change it back later, to meet the security intent of having changed it from local system). You could also instead run the update from the command line, among other options. I'm trying to give you quick solutions that may help you (and others, finding this in the future).
One of the problems with the lockdown guide (which I have long lamented) is that if you "do a bunch of stuff" and then restart CF, you have changed a lot of things that now "may not work", and you may not know WHICH thing broke whatever doesn't work. And you may not find out for days or weeks--either because you don't restart CF for some time after the changes, or you try things (like the CF updates) well after having made the changes and restarted CF.
I know that's all a lot to take in, but it may have your solution. If not, I can promise that someone with experience doing these things (liek myself and others here) could readily find and fix whatever is amiss, remotely via screenshare (on a consulting basis). I list such consultants on my site, at https://cf411.com/cftrouble.
But we (all) can continue back and forth here as long as it makes sense for you.
Great to hear that it helped, Judi. As for the proper way to set the alias, there is a different way to use than you are using.
First, the problem is that your reference to this being covered in section "4.1" tells me that you are looking at the CF2016 lockdown guide, rather then the 2018 guide (even if the filename of the PDF you see says 2018, look at the first page of the pdf). It was the 2016 guide which discussed this in its section 4.1. The 2018 guide is quite different (with 4.1 covering another subject).
Second, the issue with what you found in the 2016 lockdown guide is that it was written for the version of Tomcat that CF2016 ran on originally (Tomcat 8 or 7), whereas CF2018 (or any CF running on a Tomcat 8.5 or above) needs to use a different approach (because Tomcat changed).
Here's some good news, though. Pete Freitag (who wrote the lockdown guide) has a blog post showing the correct way to do it going forward:
As for why there's no discussion of either approach in the CF2018 lockdown guide, that's a good question. Let's see if Pete may see this and share a thought (or maybe someone from Adobe will).
Let us know if that gets you going.
judis93109396: "We are unable to download updates for CF2016 (specifically, update 16) to both our dev and producation servers through the ColdFusion Administrator. "
What do you see when you go to the Server Update page in the ColdFusion Administrator? This is still unclear to me. If it's simply that the download button is invisible, you will see it when you press on TAB on the keyboard.