cfhttp unable to read data from https sites even after importing the certificate

2
votes

I have ColdFusion 9 installed on my system.

I need to read data from an SSL encrypted site (https). I have followed all the steps described in CF documentation.

That is:

  • Go to a page on the SSL server in question.
  • Double-click the lock icon.
  • Click the Details tab.
  • Click Copy To File.
  • Select the base64 option and save the file.
  • Copy the CER file into C:\ColdFusion8\runtime\jre\lib\security (or whichever JRE ColdFusion is using).
  • Run the following command in the same directory (keytool.exe is located in C:\CFusionMX7\runtime\jre\bin):
    keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer

In CMD, it showed "certificate was added successfully"

But it is still showing the same error peer not authenticated.

Is there anything more required?

2
coldfusionhttpscoldfusion-9cfmlcfhttp
Did you restart the ColdFusion service after importing the cert? Are you sure that you updated the correct keystore? - Miguel-F
Did you export all the certs in the chain in the steps above. Try viewing the parent cert and exporting/importing that to. Work your way up the chain, doing a restart between each import. If I recall correctly, Java will tell you whether the cert is already installed - barnyr
Who is the issuing party of the certificate? I had the same issue with a Godaddy (turbo ssl) certificate, even following all of the directions and restarting. Never got it resolved. Had godaddy switch the certificate to starfield and it worked perfect. - steve
Thanks Miguel ,thanks for your suggestion i have updated the wrong keystore, now i have updated the correct one,its working fine ,no issues. - Deepak Kumar Padhy
Great, glad you found the problem. Please post an answer for this so that others can find it more easily than in these comments. - Miguel-F

2 Answers

2
votes

If you are trying to call web services in CF 11 (and maybe 10 but check that yourself), CF expects the web service or any CFHTTP call to use the WebSocket Service and port 8577 in a standard setup. This is because the WebSocket Services have been optimized for web services and CFHTTP also uses WebService Sockets.

I run CF 11 on my IIS server and port 8577 is blocked by a firewall. When I tried to connect, it sends back this error for CFHTTP and web services:

"I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

It would seem like it requires adding custom certificates to the CACERT for JRE, but that is not the solution for me.

There is a simple fix to get this running with IIS (at least IIS) if you do not want to unblock the WebSocket Service and you don't need that performance to run natively. All you have to do is go in to the CF Admin dashboard and change the WebSocket Service to "Use Proxy". This will send all calls to the CF WebSocket Service or CFHTTP through IIS as a proxy. Restart the CF Application Server service and it should work just fine. If these directions are not perfect I apologize but it will lead you to get it working. See also Using WebSocket with ColdFusion 11.

0
votes

Although the documentation doesn't specifically mention it, restarting the ColdFusion service is required. If you haven't already, that should be the first thing you try.