ColdFusion SSL authentication failure

Question

I have a simple cfhttp request (a login) going out to an SSL server:

<cfhttp url="https://www2.[domain].com/api/user/login" method="POST" port="443" >
    <cfhttpparam type="formfield" name="username" value="[username]" >
    <cfhttpparam type="formfield" name="password" value="[password]" >
</cfhttp>

The request fails before it begins, and the ColdFusion server says:

I/O Exception: peer not authenticated

Both development environments work smashingly. They receive the login session and then hand that to the collector process which successfully taps the remote web service for data.

After I spent a day trying to get the correct certificate into the ColdFusion stores, I had the bright idea to actually compare them to the working development environments. I looked at them (keytool -list), and they are identical.

Now that the obvious is absolved the questions I'm left with are twofold:

1. Is there some other certificate repository I need to check, or alternately, is there a place where I can get ColdFusion to tell me what certificate repository it needs to find the certificate IN (on the off chance it can and has been altered) or if that is even possible.
2. Identify and correct else could be causing this.

Answer 1

I HAD the same problem and I tried everything and can't fix it. Strange is that everything worked fine then suddenly stopped working. It might be a Java update on the server causing the problem or a change of the certificate from the website the CFHTTP is trying to access.

Anyway, here is a link I setup for a "demo" of this problem:

http://www.viaromania.eu/https.cfm

As you can see, I am trying to access a HTTPS service using CFHTTP tag. And it is not working. I deleted the certificate from C:\ColdFusion9\runtime\jre\lib\security\cacerts, generated a new one from the website URL, imported back, installed "certman" under CFID/admministrator, checked the certificate, it's there... and it's listed in my test page.

If you scroll to the bottom of my test page, you'll see a similar CFHTTP to https://www.google.com and this works fine, even if there is no certificate installed on the server.

It is important to mention that the request is working just perfect on my development machine, and here I also don't have any certificate installed...

AND THIS HOW I FIXED IT

1. Updated ColdFusion 9.0.2 with this - https://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-1-coldfusion-902.html

2. Installed Java JDK 1.7.0_79 from here http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

3. Changed the Java Home in ColdFusion Administrator / Server Settings → Java and JVM from "C:\ColdFusion9\runtime\lib\jre" to "C:\Program Files\Java\jdk1.7.0_79\jre"

That's it. I don't know if it uses any certificate or not. They were installed in the "C:\ColdFusion9\runtime\lib\jre\lib\security\cacerts" and not moved from there or anything.

Answer 2

Are the development and production environments the same? Are they all, for example, ColdFusion 9 Standard or ColdFusion 8 Enterprise?

In my experience, this error is usually caused by one of two things:

1. The administrator failed to install the certificate into the cacarts repository, or they installed it into the wrong one.

2. ColdFusion Enterprise and ColdFusion Developer edition (for ColdFusion 8 and ColdFusion 9 both, I believe) have an issue with the built-in BSafe CryptoJ library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some workarounds if this is the case.

First, I would explore the possibility that you are importing into the wrong certificate repository. It can be hard to tell which repository is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.