We tried to access a remote webservice from a partner and they updated their certificate a few days ago. This request fails with an very unhelpful error message in ColdFusion.
Symptom:
- ColdFusion CFHTTP is broken if you access a SSL site, but it worked in past.
- ColdFusion CFDUMP says Connection Failure with I/O Exception: peer not authenticated
Analysis:
The very first idea was - there must be something wrong with the top level certification authority like a missing root certificate in the cacerts store that has not been integrated with Java in past. The root level certificate has been imported manually, but the error was still there. As you may expierenced yourself, ColdFusion is always very unhelpful if it comes to SSL errors. If you need more detailed information you need to go on the Java level. Here is an example code snippet you can run:
<cfset hc=createObject("java","org.apache.commons.httpclient.HttpClient").init()> <cfset getRequest = createObject("java", "org.apache.commons.httpclient.methods.GetMethod").init('https://www.example.net')/> <cfset hc.executeMethod(getRequest) />
and you may receive an error message that could be something like:
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
With this error message you may have a real chance to identify the source of your issue, what is not possible at all with the ColdFusion error messages.
Solution:
We ran ColdFusion on JDK 6.0.14 for some time and after the upgrade to JDK to 6.0.24 the issue is gone. It have also been tried to copy the latest cacerts from latest JDK into the 6.0.14 JDK, but this have not solved the issue. This at least clearly shows it's not an issue with a missing root certificate. Not sure what the bug really is, but if you know - let me know, please.
History:
17/03/2011: Upgraded to JDK 6.0.24 solved the issue