Copy link to clipboard
Windows Server 2012 R2
Both the Coldfusion admin and additonal site work fine on HTTP.
As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
The Coldfusion-error.log shows
Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
Any assistance welcome - I can't allow this site to made publicly available with using SSL.
Copy link to clipboard
@Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release. And as it notes, you can email email@example.com to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
Finally, when you say that if you “comment out the SSL sections it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
thanks for taking the time to assist - appreciated.
I did consider updating Coldfusion to update 2 or 3, but saw some of the issues with them so decided not to. The build number is 188.8.131.529974.
I think we can discount the error I posted above - "INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path". The entry appears in the log file regardless if its running on HTTP or HTTPS.
The coldfusion-out.log doesnt show anything failing, but it does show when I changed the websocket settings - the entries before (on HTTP) and after (on HTTPS) are identical. So its as if CF thinks its working fine, despite the service failing.
The paths to the certs, or rather to the keystore file I should have said (E:/ColdFusion11/jre/lib/security/cacerts) is shown on the Server Settings > Websocket page. I'll check out the JVM settings and certs there - thanks for the pointer.
Yes, when I comment out the SSL sections in the server.xml, the Coldfusion application and the hosted site start quite happily.
Thanks again for your assistance
Just checked the JVM settings - E:/Coldfusion11/jre. The cacerts file is in the /lib/security sub folder.
I'll try and couple of things and report back later.
Run out of ideas - unless anyone has any more, I'll see if I can increase the logging level tomorrow. See what that brings
Perhaps if you run CF from CMD prompt you will get some more debugging to know what is going on. Run CMD as administrator then CD \CF11\cfusion\bin cfstart .
Any update on things, Scott? As for problems with updates 2 and 3 which have you hesitant, I don’t know that any are show-stoppers. Since they are as easy to uninstall as to install, it’s certainly worth seeing if applying them (you need only do 3, as it incorporates 2) might help.
Better still, Adobe has come out with a prerelease of update 4 which does deal directly with web sockets. Beware trying to read the comments of the bug report it points to (as “fixing”), in trying to interpret if it may or may not apply to or help you. Some of those comments are from before the update was released.
Also, even though the update 4 “issues fixed” says it fixes a problem with websockets “after update 3 was applied”, and you may say “well we had not yet applied update 3, so that can’t help us”, just beware that it could be that update 2 or 3 (which you don’t have) may have done ONE thing to help with your problem, and then update 3 did some other thing that they are now correcting. So it COULD still be that update 4 WOULD fix your problem, so I hope you’ll test it and let us know.
I applied update 3 yesterday, and sure enough I encountered the issue that others have also had (see link below). I have just requested Update 4 from CF Support, so will keep you posted.
Scott, here’s good news: you don’t need to ask them for it. It’s up on their web site. Sorry I didn’t think to point that out:
I'll give that a try.
Update 4 has been applied and the CF service still won't start after setting the server.xml file to use HTTPS.
The description for Event ID 259 from source ColdFusion 11 Application Server cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
ColdFusion 11 Application Server
the message resource is present but the message is not found in the string/message table
Found another post in the forum that mentions this - there is a specific fix that is available (not sure if its included in U3 or U4). I have requested this download link from the CF Install support.
This will work one day!!!!
Hi Charlie and Carl,
I have finally sorted this - painful journey but it server now works with SSL.
In short, follow the article....
1. Apply CF update 4 (thank you Charlie)
2. Export the .pfx file to a JKS file, and then configure your server.xml and CF Admin > Server Settings > Websocket page to point at this .jks file.
3. Restart Coldfusion application service
4. Browse to the CF admin and hosted site via https on the port you specified in CF Admin and server.xml 🙂
The issue was resolved partly down to my lack of experience (in pointing the server at the cacerts file thinking this would work) and the CF11 update 4.
Thanks for all your help with this.
Thanks for the update. And I’ll admit my own lack of experience with the SSL aspect of CF web sockets and that separate page of settings where you added this.
So I’m curious: as you perhaps compare the server.xml that was created and now working, do you find whatever was amiss in what you had been trying to tweak (if anything)? Or is it that there were no tweaks, but as long as that SSL support was indicated in that config file, and the step about the pfx file in the admin had not been done, then it’s just that CF could not start?
Am I piecing together the past issues/steps correctly? It could just help others who may run into similar issues in the future. Thanks.
here were the issues...
1. The server.xml file was pointing at the cacerts file (that I imported all of our certs to), as was the CF Admin \ Web sockets page. If the line with Connector port="8443" was commented out the CF application service would start.
2. I started reading more into the certs side, and found that you need to actually export the .pfx file to a JKS file - see link below.
3. Go back into CF admin and change the CF Admin > Server Settings > Websocket page to point at the location of your new JKS file
4. Edit the server.xml file as follows...(ensure the comments at start and end are removed)
maxThreads="150" scheme="https" secure="true"
5. Restart the CF application service and it check that you can browse to the CF admin and your hosted site on the port identified above, as well as HTTPS.
Sit down and pour yourself a beer / non-alcoholic beverage of your choice. 🙂
Hope that helps.
Thanks Scott, I learned something new. Cheers, Carl.
Copy link to clipboard
For CF out log reporting - The APR based Apache Tomcat library which allows optimal performance in production environments etc
You could try download tomcat native, extract that then place "x64\tcnative-1.dll" in ColdFusion11\cfusion\lib. CF will need a restart to apply that.
Think Charlie likely prompted you in right direction - Does the Java that CF is using have your SSL Cer file added to cacerts (trusted certificates).
thanks for the info - I think given that same entry appears in the logfile regardless of working with HTTP or HTTPS, we can discard.
Yes the SSL certs have been added to the cacerts file.