Wednesday, July 28, 2010

HTTPS Requests to Remote Servers Failing in ColdFusion

Yesterday, we noticed that our HTTPS GET requests to a remote secure server had stopped working after a year in service.  A CFDUMP of CFHTTP showed the following:

Charset: [empty string]
ErrorDetail: I/O Exception: peer not authenticated
Filecontent: Connection Failure
Header: [empty string]
Mimetype: Unable to determine MIME type of file.
Responseheader:  [struct]
Statuscode: Connection Failure.  Status code unavailable.
Text: YES


After some Googling, it seemed that the remote server’s SSL certificate was not recognized by our server.  Why all of a sudden and why now? We first thought there was a change in our server, OS, or firewall that was causing it.  The remote server's certificate looked good.  It was issued by Thawte, not a self-signed.  So I asked the remote server admins.  Apparently, Thawte, had changed the way they issued certificates and the new certs were not shipped with ColdFusion or the underlying Java.  After digging around a bit on Thawte,  I ran into this knowledge base article: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1406.  For Coldfusion or Java, read “Installation to a Java Keystore”.   Then follow these steps:
  1. Copy the certificates in Step 1 of the knowledge base article and save them (e.g. in c:\ssl)
  2. Optional: Back up the folder/coldfusion9/jre/lib/security
  3. Open /coldfusion9/jre/lib/security from command prompt
  4. Issue the following command to install the first certificate (intca.cer).  Note that keytool.exe is in another folder.
\coldfusion9\runtime\jre\bin\keytool -import -trustcacerts -alias intca -file c:\ssl\intca.cer -keystore cacerts

  • It’ll prompt you to “Enter keystore password.”  Enter “changeit” without quotes.  “changeit” is the default password for cacerts
  • You may prompted “Trust this certificate?”  Enter “yes”
  • You’re done when it says “Certificate was added to keystore”
  • Check your keystore file size.  It should have gone up by 1-2 KB (ours went from 67KB to 69KB).
-          Repeat the same process for the other Thawte certificate (crossca.cer):

\coldfusion9\runtime\jre\bin\keytool -import -trustcacerts -alias crossca -file c:\ssl\crossca.cer -keystore cacerts
  • Check your keystore file size again.  Ours went up to 70KB.
Finally, restart ColdFusion server: Go to Windows Services and restart “ColdFusion 9 Application Server”
Posted by at
Labels: , , , , , , , ,

1 comment:

Unknown said...

I'm still getting the "I/O Exception: peer not authenticated" error even after following your steps when trying to make a cfhttp call to https://api.dropbox.com am I missing something or is there something up with their cert?

Many thanks,

Chris

January 13, 2011 at 5:46 AM

Post a Comment

Subscribe to: Post Comments (Atom)