2

I'm trying to retrieve files from a server over SSL using the ColdFusion CFHTTP tag with no success. Our environment is Linux using the Server Configuration. The keystore used is at cf_root/runtime/jre/lib/security/cacerts. I retrieved X.509 certificate (in DER format) from the target server and exported it to a file. On our server, in the folder where cacerts resides, I imported this cert into our cacerts keystore:

keytool -import -alias certAlias -file pathToX509Cert -keystore cacerts -storepass blahPass

and restarted ColdFusion. Yet, we're still getting the "I/O Exception: peer not authenticated" error. I even tried importing the same cert into the trustStore at cf_root/runtime/lib/trustStore and restarting ColdFusion. Same result. Is there something else I'm missing? I've even tried Raymond Camden's workaround with no luck.

Leigh
  • 28,765
  • 10
  • 55
  • 103
HugeBob
  • 467
  • 1
  • 5
  • 14
  • 1
    Have you by chance changed the JRE that ColdFusion is using? You can tell by looking at the System Information page in the ColdFusion administrator. The path displayed next to the Java Home label. – Miguel-F Mar 13 '13 at 16:15
  • Miguel, no JRE change. The JAVA Home path is the same. Would the target server have to have my public key perhaps? – HugeBob Mar 13 '13 at 18:14
  • 1
    What kind of certificate are you using; self-generated, from an authority like Verisign, etc? – Miguel-F Mar 18 '13 at 12:37
  • I wasn't sure what the process was, exactly, for retrieving the cert in the first place, until today. Maybe check this to see if it gives you any ideas: http://stackoverflow.com/questions/15645256/exporting-ssl-certificate-in-linux-browser-or-linux-command-line-for-java-cert Also, I found this GUI helpful for browsing/managing the store: http://www.lazgosoftware.com/kse/ – Jamie Jackson Mar 27 '13 at 03:39

1 Answers1

0

Depending on the version of CF you're running, the workaround posted by Ray is the only solution. Importing the certificate can work in some cases but if you're accessing a wildcard SSL certificate, I have never been able to get it to work on CF8 or below.

For reference, the code that will fix this is:

<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset storeProvider = objSecurity.getProvider("JsafeJCE") />
<cfset objSecurity.removeProvider("JsafeJCE") />

If this is not working for you, can you post the URL you are trying to access so we can inspect the certificate?

FWIW, you can generally catch this failure in a cfcatch using type "COM.Allaire.ColdFusion.HTTPFailure".

Brian G
  • 13
  • 4