Issues with Coldfusion 2018 after clean installation.

Dave,

I have scripted puppet to perform the installation silently. I have gotten it to a state where puppet is installing and configuring apache, installing Coldfusion (silently) and performing wsconfig steps. 

All is complete and I am attempting to login (manually by going to https://<MY_FQDN>/CFIDE/administrator)

The password does contain the following special characters: @ : (

This password is stored in puppet encrypted, however when the installer.profile file is generated (for the silent installation), I can verify the password is decrypted and is correct, and does not have any space at the end (I heard spaces in this file can cause havoc).

Any recommendations?

I'm surprised it'll let you try to log in at all - by default, the CF Administrator should not be accessible via Apache or IIS in CF 2018 and you should have to use the internal port to access it. This might be your problem here, although the error message doesn't indicate that.

As for the password, I'd try removing the special characters and trying again. I have no idea how they're escaped in the installer profile.

Dave Watts, Eidolon LLC

And to add to Dave's helpful comment (which I agree is likely the first issue to address), when he refers to the "internal port", he means the built-in web server for CF. Prior to CF2016, that was optional (asked during the installer, and perhaps addressable as well during the silent installer).

Since CF2016, you are no longer asked. It (the built-in, or "Tomcat", web server) is enabled by default, regardless of any choice (in the installer UI or silent installer), and its default port would be 8500 (in a "clean install", within nothing blocking that port).

Note as well that beyond a possible firewall issue, or it being a non-standard http port (which you could of course resolve with ssh or other port forwarding solutions), there is also the matter that since at least CF2016, the CF admin "security" page for "allowed ip addresses" is set by default to allow only access from 127.0.0.1. You can tweak that in the underlying neo-runtime.xml file, or via the Admin API (and perhaps also as a silent installer option).

It is POSSIBLE that the error you are getting is because of THAT. To be clear, the IP limitation does NOT control whether one SEES the CF admin login page (which I think is very curious), only whether it allows you to login or not.

Let us know if any of this gets you going. 

Issue 1: password 

I tried changing to a password without special characters, but the installation actually ended up failing. I am not sure if there is an internal function that ensures certain password requirements, but after putting a special character back in (! - bang sign), the installation worked. Still no luck on the authentication however.

Issue 2: CFADMIN ports

I am going from coldfusion 11 to coldfusion. We had things setup with the legacy system where the CFIDE was mapped in the mod_jk.conf (see config below). I put the same config in the mod_jk.conf rolled out to this system. Is there any reason this cannot work? We try to limit the number of open ports, but if you say something has changed with CF, please let me know exactly what that is.

I would also like to mention that I specified the following in the silent installer.profile (# numbers are a VPN range we use for web administrators):

MOD_JK CONFIG=======

AddHandler jakarta-servlet .cfm .cfml .cfc .cfr .cfswf

DirectoryIndex index.cfm

Alias /CFIDE "/app/coldfusion11/cfusion/wwwroot/CFIDE"

<Directory "/app/coldfusion11/cfusion/wwwroot/CFIDE">

Options -Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

</Directory>

<Files ~ ".hbmxml$">

Order allow,deny

Deny from all

</Files>

You say, "if you say something has changed with CF, please let me know exactly what that is." I did. It's that out of the box, CF2016 and above a) presumes to enable the built-in web server, and b) presumes to not allow you to access the CF admin from an external web server. But at least we now know that's your issue to address. 

Some good news is that in CF2018, they did at least allow you to CHANGE this (manually). Besides getting the mod_lk config right (you should CF11, I will asume you correct that for CF2018), note that you ALSO need to modify the uri_workermap.properties file (wheither you find that in the CF or Apache conf files, as it changes depending on some factors), and you will need to comment out the block on the CFIDE folder. You will see it, when you find that file. Then restart Apache, and try again.

(I appreciate that to you, this "other port" of the CF built-in web server is a new potential vuln to guard against, but Adobe's thinking is that that non-standard port 8500 is blocked by your firewall, while the CFIDE being open in the external web server/Apache is a far greater risk--since most people never took additional steps to protect it. Granted, with the new "allowed ip address" limitation, it's LESS vulnerable than it used to be.)

Finally, as for the password, yes, if you told CF to use the "production" profile, it then requires a complicated password.

Let us know how things go.

So I got the firewall team to open FW rules to my VPN group (ip range) specified in my install.profile for the silent install. Uninstalled and reinstalled everything fresh (again using silent install) with no problems.

opened: https://<myhost>:8500/CFIDE/administrator/enter.cfm

Attempted to login and once again:

I might have missed something in this thread, but are you attempting to connect from localhost? By default, the CF Admin is only available via localhost if I recall correctly.

Dave Watts, Eidolon LLC

And to elaborate on Dave's observation, I had said here last week:

Note as well that beyond a possible firewall issue, or it being a non-standard http port (which you could of course resolve with ssh or other port forwarding solutions), there is also the matter that since at least CF2016, the CF admin "security" page for "allowed ip addresses" is set by default to allow only access from 127.0.0.1. You can tweak that in the underlying neo-runtime.xml file, or via the Admin API (and perhaps also as a silent installer option).

It is POSSIBLE that the error you are getting is because of THAT. To be clear, the IP limitation does NOT control whether one SEES the CF admin login page (which I think is very curious), only whether it allows you to login or not.