Search code examples
sslcoldfusionssl-certificatecfhttp

ColdFusion SSL authentication failure

I have a simple cfhttp request (a login) going out to an SSL server:

<cfhttp url="https://www2.[domain].com/api/user/login" method="POST" port="443" >
    <cfhttpparam type="formfield" name="username" value="[username]" >
    <cfhttpparam type="formfield" name="password" value="[password]" >
</cfhttp>

The request fails before it begins, and the ColdFusion server says:

I/O Exception: peer not authenticated

Both development environments work smashingly. They receive the login session and then hand that to the collector process which successfully taps the remote web service for data.

After I spent a day trying to get the correct certificate into the ColdFusion stores, I had the bright idea to actually compare them to the working development environments. I looked at them (keytool -list), and they are identical.

Now that the obvious is absolved the questions I'm left with are twofold:

  1. Is there some other certificate repository I need to check, or alternately, is there a place where I can get ColdFusion to tell me what certificate repository it needs to find the certificate IN (on the off chance it can and has been altered) or if that is even possible.
  2. Identify and correct else could be causing this.
Solution

  • Are the development and production environments the same? Are they all, for example, ColdFusion 9 Standard or ColdFusion 8 Enterprise?

    In my experience, this error is usually caused by one of two things:

    1. The administrator failed to install the certificate into the cacarts repository, or they installed it into the wrong one.

    2. ColdFusion Enterprise and ColdFusion Developer edition (for ColdFusion 8 and ColdFusion 9 both, I believe) have an issue with the built-in BSafe CryptoJ library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some workarounds if this is the case.

    First, I would explore the possibility that you are importing into the wrong certificate repository. It can be hard to tell which repository is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.