• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

New Here ,
Jan 26, 2015 Jan 26, 2015

Copy link to clipboard

Copied

Coldfusion 11

Windows Server 2012 R2

Both the Coldfusion admin and additonal site work fine on HTTP.

As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....

Coldfusion 11 - Web Sockets via SSL

The Coldfusion-error.log shows

Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path

Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.

Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?

If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.

Any assistance welcome - I can't allow this site to made publicly available with using SSL.

SM

Views

1.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2015 Jan 26, 2015

Copy link to clipboard

Copied

@Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release. And as it notes, you can email cfsup@adobe.com to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.

If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.

First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.

Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.

You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.

Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).

Finally, when you say that if you “comment out the SSL sections it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?

To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 27, 2015 Jan 27, 2015

Copy link to clipboard

Copied

Hi Charlie,

thanks for taking the time to assist - appreciated.

I did consider updating Coldfusion to update 2 or 3, but saw some of the issues with them so decided not to. The build number is 11.0.0.289974.

I think we can discount the error I posted above -  "INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path". The entry appears in the log file regardless if its running on HTTP or HTTPS.

The coldfusion-out.log doesnt show anything failing, but it does show when I changed the websocket settings - the entries before (on HTTP) and after (on HTTPS) are identical. So its as if CF thinks its working fine, despite the service failing.

The paths to the certs, or rather to the keystore file I should have said (E:/ColdFusion11/jre/lib/security/cacerts) is shown on the Server Settings > Websocket page. I'll check out the JVM settings and certs there - thanks for the pointer.

Yes, when I comment out the SSL sections in the server.xml, the Coldfusion application and the hosted site start quite happily.

Thanks again for your assistance

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 27, 2015 Jan 27, 2015

Copy link to clipboard

Copied

Just checked the JVM settings - E:/Coldfusion11/jre. The cacerts file is in the /lib/security sub folder.

I'll try and couple of things and report back later.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 27, 2015 Jan 27, 2015

Copy link to clipboard

Copied

Run out of ideas - unless anyone has any more, I'll see if I can increase the logging level tomorrow. See what that brings

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jan 27, 2015 Jan 27, 2015

Copy link to clipboard

Copied

Hi Scott,

Perhaps if you run CF from CMD prompt you will get some more debugging to know what is going on. Run CMD as administrator then CD \CF11\cfusion\bin  cfstart .

HTH, Carl.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 28, 2015 Jan 28, 2015

Copy link to clipboard

Copied

Thanks Carl I'll give that a try.

if that fails, I'll take a snapshot of the server and work from this post on the forum...seems v similar! CF11 services won't restart

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Feb 02, 2015 Feb 02, 2015

Copy link to clipboard

Copied

Any update on things, Scott? As for problems with updates 2 and 3 which have you hesitant, I don’t know that any are show-stoppers. Since they are as easy to uninstall as to install, it’s certainly worth seeing if applying them (you need only do 3, as it incorporates 2) might help.

Better still, Adobe has come out with a prerelease of update 4 which does deal directly with web sockets. Beware trying to read the comments of the bug report it points to (as “fixing”), in trying to interpret if it may or may not apply to or help you. Some of those comments are from before the update was released.

Also, even though the update 4 “issues fixed” says it fixes a problem with websockets “after update 3 was applied”, and you may say “well we had not yet applied update 3, so that can’t help us”, just beware that it could be that update 2 or 3 (which you don’t have) may have done ONE thing to help with your problem, and then update 3 did some other thing that they are now correcting. So it COULD still be that update 4 WOULD fix your problem, so I hope you’ll test it and let us know.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 03, 2015 Feb 03, 2015

Copy link to clipboard

Copied

Hi Charlie,

I applied update 3 yesterday, and sure enough I encountered the issue that others have also had (see link below). I have just requested Update 4 from CF Support, so will keep you posted.

Scott

Re: Coldfusion 11 - Web Sockets via SSL

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Feb 03, 2015 Feb 03, 2015

Copy link to clipboard

Copied

Scott, here’s good news: you don’t need to ask them for it. It’s up on their web site. Sorry I didn’t think to point that out:

http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-4-is-available-for-early-access

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 03, 2015 Feb 03, 2015

Copy link to clipboard

Copied

Thanks Charlie.

I'll give that a try.

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2015 Feb 04, 2015

Copy link to clipboard

Copied

Hi Charlie,

Update 4 has been applied and the CF service still won't start after setting the server.xml file to use HTTPS.

The description for Event ID 259 from source ColdFusion 11 Application Server cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

ColdFusion 11 Application Server

the message resource is present but the message is not found in the string/message table

Found another post in the forum that mentions this - there is a specific fix that is available (not sure if its included in U3 or U4). I have requested this download link from the CF Install support.

This will work one day!!!!

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2015 Feb 04, 2015

Copy link to clipboard

Copied

Hi Charlie and Carl,

I have finally sorted this - painful journey but it server now works with SSL.

In short, follow the article....

Coldfusion 11 - Web Sockets via SSL

1. Apply CF update 4 (thank you Charlie)

2. Export the .pfx file to a JKS file, and then configure your server.xml and CF Admin > Server Settings > Websocket page to point at this .jks file.

3. Restart Coldfusion application service

4. Browse to the CF admin and hosted site via https on the port you specified in CF Admin and server.xml 🙂

The issue was resolved partly down to my lack of experience (in pointing the server at the cacerts file thinking this would work) and the CF11 update 4.

Thanks for all your help with this.

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Feb 04, 2015 Feb 04, 2015

Copy link to clipboard

Copied

Thanks for the update. And I’ll admit my own lack of experience with the SSL aspect of CF web sockets and that separate page of settings where you added this.

So I’m curious: as you perhaps compare the server.xml that was created and now working, do you find whatever was amiss in what you had been trying to tweak (if anything)? Or is it that there were no tweaks, but as long as that SSL support was indicated in that config file, and the step about the pfx file in the admin had not been done, then it’s just that CF could not start?

Am I piecing together the past issues/steps correctly? It could just help others who may run into similar issues in the future. Thanks.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2015 Feb 04, 2015

Copy link to clipboard

Copied

Hi Charlie,

here were the issues...

1. The server.xml file was pointing at the cacerts file (that I imported all of our certs to), as was the CF Admin \ Web sockets page. If the line with Connector port="8443" was commented out the CF application service would start.

2. I started reading more into the certs side, and found that you need to actually export the .pfx file to a JKS file - see link below.

java - How to convert .pfx file to keystore with private key? - Stack Overflow

3. Go back into CF admin and change the CF Admin > Server Settings > Websocket page to point at the location of your new JKS file

4. Edit the server.xml file as follows...(ensure the comments at start and end are removed)

  <Connector port="8443"
protocol="HTTP/1.1" SSLEnabled="true"

                  maxThreads="150" scheme="https" secure="true"

                 clientAuth="false" sslProtocol="TLS"

                 keystoreFile="e:\Coldfusion11\jre\bin\newcert.jks"

                 keystorePass="#######”

                 keystoreType="JKS" />

5. Restart the CF application service and it check that you can browse to the CF admin and your hosted site on the port identified above, as well as HTTPS.

Sit down and pour yourself a beer / non-alcoholic beverage of your choice. 🙂

Hope that helps.

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Feb 04, 2015 Feb 04, 2015

Copy link to clipboard

Copied

LATEST

Thanks Scott, I learned something new. Cheers, Carl.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jan 26, 2015 Jan 26, 2015

Copy link to clipboard

Copied

Hi Scott,

For CF out log reporting - The APR based Apache Tomcat library which allows optimal performance in production environments etc

You could try download tomcat native, extract that then place "x64\tcnative-1.dll" in ColdFusion11\cfusion\lib. CF will need a restart to apply that.

Think Charlie likely prompted you in right direction - Does the Java that CF is using have your SSL Cer file added to cacerts (trusted certificates).

HTH, Carl.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 27, 2015 Jan 27, 2015

Copy link to clipboard

Copied

Hi Carl,

thanks for the info - I think given that same entry appears in the logfile regardless of working with HTTP or HTTPS, we can discard.

Yes the SSL certs have been added to the cacerts file.

Scott

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation