Connection Failure when trying to make simple REST call to Jira API

2
votes

I have this simple GET call that works perfectly from Postman, Powershell, C# and even browser JS ( after disabling CORS ), but porting it to a ColdFusion CFHTTP call is failing.

Below is the response from the Jira API:

{
  "ErrorDetail": "I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
  "Mimetype": "Unable to determine MIME type of file.",
  "Filecontent": "Connection Failure",
  "Statuscode": "Connection Failure.  Status code unavailable.",
  "Responseheader": {
    
  },
  "Text": true,
  "Charset": "",
  "Header": ""
}

CF Code:

<cfset jql="<redacted>">
<cfset jiraEndpoint ='https://jira.bullhorn.com/rest/api/2/search?jql=#jql#'>

<cfhttp url = "#jiraEndpoint#" result="res" method="get" username="<redacted>" password="<redacted>">    
    <cfhttpparam type="header" name="Accept" value="application/json" />    
</cfhttp>

<cfheader name="Content-Type" value="application/json">
<cfoutput>
    #serializeJSON(res)#
</cfoutput>

Things I have tried:

  • Used a Authorization header with value "Basic <base64 encoded string version of username:password>"
  • Added Content-Type header
  • Added mimetype header
  • Tried to use a third-party CFC

Nothing seems to work.

1
coldfusionjira-rest-apicoldfusion-11
The error sounds like a certificate problem. Eg hass.de/content/…SOS
I agree that it is a certificate problem - though in my experience it's a problem that shouldn't happen in CF2016+ and Lucee 5+ unless there is an "extra download" misconfiguration on the endpoint server, which in this case there isn't, so it looks more like a consequence of the OP having to handle certs for cfhttp the hard way due to using CF11.Sev Roberts
@SevRoberts - Agreed. I only noticed the CF11 tag just nowSOS

1 Answers

3
votes

Jira's certificate configuration checks out fine, including their intermediate cert - you can confirm this with ssllabs or a similar tester, eg https://globalsign.ssllabs.com/analyze.html?d=jira.bullhorn.com .

In your case the reason you see a problem will be because you are using an old version of Coldfusion which is using an old JVM, which neither downloads their Digicert intermediate certificate, nor has that certificate pre-installed. Ideally you should be upgrading from CF11.

For a workaround you can manually install the Digicert intermediate certificate + Jira bullhorn certificate to your server's cacerts - instructions for this vary depending upon your environment but one example is https://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html - then restart the CF service and retry the cfhttp call.