CFHTTP Issue & Java Update

Report · May 10, 2021

Recently one of my CFHTTP calls stopped working, the authentication that was working on the calling page is no longer working. I verified with the owners of the page i'm calling that nothing has changed on their end. I did some googling and found Charlie Arehart's post about CFHTTP issue might have to do with JVM and that JVM should be updated.

My ColdFusion 2016 server is on Java version 1.8.0_112 and CF Update 5. I know both the Java and CF need to be updated, long story short, we lost our server guy and we have no one to keep on top of updates.

Based off the article, I updated the server to Java 1.8.0_281. My CFHTTP issue still hasn't resolved but now I am receiving the following error from another CFHTTP call. I tried a lower version of Java 1.8.0_271 and Java 1.8.0_121 but still seeing the same error.

struct

Charset	[empty string]
ErrorDetail	I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
Filecontent	Connection Failure
Header	[empty string]
Mimetype	Unable to determine MIME type of file.
Responseheader	struct [empty]
Statuscode	Connection Failure. Status code unavailable.
Text	YES

I know it's probably a chicken and egg thing with the Java update and the CF updates but I am throwing it out to see if anyone has any ideas as how to resolve this issue. Should I do the CF updates first then the Java update or visa-versa. I'm a programmer doing server updates with limited knowledge of Linux so it's always an adventure!

Server Details
Server Product	ColdFusion
Version	2016,0,05,303689
Edition	Enterprise
Operating System	UNIX
OS Version	3.10.0-327.36.1.el7.x86_64

Tomcat Version

8.5.11.0

Java Version

1.8.0_112

Thanks in advanced for any help you can give me,

Jennifer

Report · May 11, 2021

After you install a new Java version, you have to import the security key of the site into the Java key store. The process is something like this:

1) Download a copy of the key. If you don't know how, google it. It's easy. 🙂

2) Locate the tool [JAVA_HOME]/bin/keytool of the new Java installation. Run as admin/sudo the command to import the key. It is something like

keytool -import -alias myCertificateAlias -file "\path\to\myCertFile.cer" -keystore "[JAVA_HOME]\lib\security\cacerts" -storepass changeit

where

myCertificateAlias is my custom certificate alias. Choose your own;
\path\to\myCertFile.cer is the absolute path to the .cer file obtained in the first step;
JAVA_HOME is the path to your new Java installation;
changeit is my custom password. Choose your own.

Note: Store myCertificateAlias and changeit in a safe place. You will need them if you decide in future to remove the key from the key store.

Report · May 11, 2021

Thank you BKBK! I was able to download the .cert file via my broswer for the site and installed it in the new java key store and the CFHTTP call is working as expected. Thank you for your help.

Report · May 11, 2021

While importing the cert into the keystore does work, it is not always the best way to solve this problem.

Usually this problem is caused by a server misconfiguration on the server you are trying to cfhttp to. It is probably missing the intermediate certificate, which leads to this error. Some http clients (like your browser) are pretty forgiving of this issues because they are able to cache the intermediate certificates of trused certificate authorities. This site is the easiest way I've found to check for the missing intermediate cert: https://whatsmychaincert.com/

The reason importing the certificate into cacerts is not a great idea, is because that is for Certificate Authority certificates, meaning you are saying that this certificate you imported is now authorized to sign certificates for any domain. I find it to be necessary to import only if you are using a self signed certificate / ca cert.

Report · May 11, 2021

I should clarify - when I say usually this problem is caused by missing intermediate cert. That is about 50% of the time, the other 49.9% of the time updating the JVM fixes the problem because old JVM's might not have the latest trusted certificates defined in the cacerts. You stated you had already updated it so I didn't expand on that in my last reply.

There is a small chance (I'm giving that 0.1%) that the cacerts file that the latest JVM has doesn't have a new CA certificate for the site you are trying to connect to. This was a lot more common of a problem many years ago, but I've found over the last 5+ years or so that they have done a very good job at keeping it updated with each release. So I haven't in practice actually seen that problem in many many years, but it's still possible in theory.

Report · May 13, 2021

This worked on the first server i updated but the next server I upgraded is throwing this error "I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=acme@XXX.com, CN=*.XXX.com, OU=XXX, O="XXX", L=XX, ST=XX, C=XX" is not a CA certificate"

I updated the JDK the same way and I also imported the certificate the same way as I did the first server.

Thanks in advance,

Jennifer

Report · May 13, 2021

The new issue is likely related to what Pete said. Namely, "There is a small chance (I'm giving that 0.1%) that the cacerts file that the latest JVM has doesn't have a new CA certificate for the site you are trying to connect to. ".

That is, the root cause is most likely a missing or outdated certificate root CA on the server you're trying to connect to. You could debug this using the keytool as is done in https://www.hass.de/content/coldfusion-java-pkix-path-building-failed-javasecuritycertcertpathbuilde...

Having identified the correct certificate CA, you could notify the server admin to update their root CA.

For the time being, there is an alternative you can try. Add the following JVM flag - on the Java page in the ColdFusion Administrator or in jvm.config - in the hope that it might persuade Java to load certificates that don't have a known root CA:

-Djdk.security.allowNonCaAnchor=true

Restart ColdFusion.

Report · May 13, 2021

That error sounds like you are trying to import the leaf certificate instead of a CA certificate. Perhaps newer versions of java are no longer letting you import leaf certificates into the cacerts file. Are both servers running the same version of java?

For most HTTPS sites these days there are three certificates involved, a Root, Intermediate and a Leaf. They have this hierarchy:

Root (trusted by browsers)

|-- Intermediate Certificate (signed by root)

|---- Leaf (signed by intermediate, this is the one you pay for, etc)

Both the root certificate and the intermediate certificates are CA Certificates and you should be able to import those without problem.

Adding the system property jdk.security.allowNonCaAnchor=true would only be necessary if the site certificate is a self signed certificate (not signed by a CA, you generated it yourself). If it is not self signed, then you should just import the missing intermediate or root certificate into cacerts instead. All assuming you trust this site, and the CA that signed it's cert that you are trying to connect to.

Report · May 13, 2021

Yes, both servers were updated to the same version of java, jdk1.8.0_281.

Report · May 14, 2021

Adding the java flag to my server worked. Strangly this is the only server I needed to add the flag. The other two accepted the certificate.

Thank you for all your help!

Jennifer

Adobe Community

CFHTTP Issue & Java Update

1 Correct answer