ColdFusion https connection failure

coldfusion cfhttp
CPB07 picture CPB07 · Dec 9, 2013 · Viewed 32.1k times · Source

I have an API that runs fine on one of my two web servers but not on the other one or on my local machine, instead I get a connection failure when I send https requests as part the login process.

The requests are very simple and works without a problem on one of the three servers it is being run on. The first one is as follows:

<cfhttp url="https://accounts.ea.com/connect/auth?response_type=code&client_id=EASFC-web&state=59c5a8f1c4e7a991c1da0b54504c38e45f4d8d78&redirect_uri=http%3A%2F%2Fwww.easports.com%2Ffifa%2Ffootball-club%2Flogin_check&locale=uk&scope=basic.identity+basic.persona+signin+offline " method="GET" result="Stage2" redirect="false">
    <cfhttpparam type="header" name="Accept" value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" />
    <cfhttpparam type="header" name="Accept-Encoding" value="gzip, deflate" />
    <cfhttpparam type="header" name="Accept-Language" value="en-US, en;q=0.5" />
    <cfhttpparam type="header" name="Connection" value="keep-alive" />
    <cfhttpparam type="header" name="Host" value="accounts.ea.com" />
    <cfhttpparam type="header" name="User-Agent" value="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" />
</cfhttp>

I've had a look and this seems to be a common issue but this fix provided no joy.

I'm assuming there's some security setting that I am perhaps overlooking? I'm able to hit the page and login within the browser on my local machine if that helps.

Does anyone have any advice?

This is what is returned in a CFDUMP:

Debugging Information 
ColdFusion Server Developer 9,0,0,251028
Template    /CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
Time Stamp  09-Dec-13 11:40 AM
Locale  English (UK)
User Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Remote IP   127.0.0.1
Host Name   127.0.0.1
________________________________________
Execution Time
Total Time  Avg Time    Count   Template
608 ms  608 ms  1   C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
5 ms    5 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc | onRequestStart(/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc
1 ms    1 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc
4 ms        STARTUP, PARSING, COMPILING, LOADING, & SHUTDOWN
617 ms      TOTAL EXECUTION TIME
red = over 250 ms average execution time 
________________________________________
Scope Variables
CGI Variables:
AUTH_PASSWORD=
AUTH_TYPE=
AUTH_USER=
CERT_COOKIE=
CERT_FLAGS=
CERT_ISSUER=
CERT_KEYSIZE=
CERT_SECRETKEYSIZE=
CERT_SERIALNUMBER=
CERT_SERVER_ISSUER=
CERT_SERVER_SUBJECT=
CERT_SUBJECT=
CF_TEMPLATE_PATH=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
CONTENT_LENGTH=
CONTENT_TYPE=
CONTEXT_PATH=
GATEWAY_INTERFACE=
HTTPS=
HTTPS_KEYSIZE=
HTTPS_SECRETKEYSIZE=
HTTPS_SERVER_ISSUER=
HTTPS_SERVER_SUBJECT=
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_CONNECTION=keep-alive
HTTP_COOKIE=cf_debug_general=block; cf_debug_template_stack=block; CFID=15108; CFTOKEN=12249080; CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu; CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fdebugging%2Findex%2Ecfm
HTTP_HOST=127.0.0.1:8500
HTTP_REFERER=
HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
PATH_INFO=
PATH_TRANSLATED=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
QUERY_STRING=reinit=1
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=127.0.0.1
REMOTE_USER=
REQUEST_METHOD=GET
SCRIPT_NAME=/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
SERVER_NAME=127.0.0.1
SERVER_PORT=8500
SERVER_PORT_SECURE=0
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=
WEB_SERVER_API=
Cookie Variables:
CFADMIN_LASTPAGE_ADMIN=/CFIDE/administrator/debugging/index.cfm
CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu
CFID=15108
CFTOKEN=12249080
cf_debug_general=block
cf_debug_template_stack=block
Session Variables:
biddingaccountloggedin=0
biddingaccountloginattempts=0
cfid=15108
cftoken=12249080
mainaccountloggedin=0
mainaccountloginattempts=0
pricingaccountloggedin=0
pricingaccountloginattempts=0
searchaccount10loggedin=0
searchaccount10loginattempts=0
searchaccount11loggedin=0
searchaccount11loginattempts=0
searchaccount12loggedin=0
searchaccount12loginattempts=0
searchaccount13loggedin=0
searchaccount13loginattempts=0
searchaccount14loggedin=0
searchaccount14loginattempts=0
searchaccount15loggedin=0
searchaccount15loginattempts=0
searchaccount16loggedin=0
searchaccount16loginattempts=0
searchaccount17gamertag=ZappyShrimp8
searchaccount17loggedin=0
searchaccount17loginattempts=0
searchaccount18loggedin=0
searchaccount18loginattempts=0
searchaccount19loggedin=0
searchaccount19loginattempts=0
searchaccount1loggedin=0
searchaccount1loginattempts=0
searchaccount20loggedin=0
searchaccount20loginattempts=0
searchaccount21loggedin=0
searchaccount21loginattempts=0
searchaccount22loggedin=0
searchaccount22loginattempts=0
searchaccount23loggedin=0
searchaccount23loginattempts=0
searchaccount24loggedin=0
searchaccount24loginattempts=0
searchaccount25loggedin=0
searchaccount25loginattempts=0
searchaccount26loggedin=0
searchaccount26loginattempts=0
searchaccount27loggedin=0
searchaccount27loginattempts=0
searchaccount28loggedin=0
searchaccount28loginattempts=0
searchaccount29loggedin=0
searchaccount29loginattempts=0
searchaccount2loggedin=0
searchaccount2loginattempts=0
searchaccount30loggedin=0
searchaccount30loginattempts=0
searchaccount3loggedin=0
searchaccount3loginattempts=0
searchaccount4loggedin=0
searchaccount4loginattempts=0
searchaccount5loggedin=0
searchaccount5loginattempts=0
searchaccount6loggedin=0
searchaccount6loginattempts=0
searchaccount8loggedin=0
searchaccount8loginattempts=0
sessionid=FIFAAUTOBUYER_15108_12249080
urltoken=CFID=15108&CFTOKEN=12249080
URL Parameters:
reinit=1
Debug Rendering Time: 21 ms

CFDUMP STAGE2:

struct
Charset     [empty string]
ErrorDetail     I/O Exception: peer not authenticated
Filecontent     Connection Failure
Header  [empty string]
Mimetype    Unable to determine MIME type of file.
Responseheader  
struct [empty]
Statuscode  Connection Failure. Status code unavailable.
Text    YES

Answer

Miguel-F picture Miguel-F · Dec 9, 2013

If you are using cfhttp to connect via SSL (https) then the ColdFusion server definitely needs the certificate installed to successfully connect. Here is a previous answer that I gave on a similar issue:

Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.

The default truststore is the JRE's cacerts file. This file is typically located in the following places:

  • Server Configuration:

    cf_root/runtime/jre/lib/security/cacerts

  • Multiserver/J2EE on JRun 4 Configuration:

    jrun_root/jre/lib/security/cacerts

  • Sun JDK installation:

    jdk_root/jre/lib/security/cacerts

  • Consult documentation for other J2EE application servers and JVMs

In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.

  1. Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
  2. View the certificate by clicking on the lock icon and clicking view certificate
  3. Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
  4. Click on IE's Internet Options and click the Content tab
  5. Click the Certificates button
  6. Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
  7. Export using DER format

Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)

  1. Run cmd prompt as administrator on the ColdFusion server
  2. Make a backup of the original cacerts file in case you run into issues

The keytool is part of the Java SDK and can be found in the following places:

  • Server Configuration:

    cf_root/runtime/bin/keytool

  • Multiserver/J2EE on JRun 4 Configuration:

    jrun_root/jre/bin/keytool

  • Sun JDK installation:

    jdk_root/bin/keytool

  • Consult documentation for other J2EE application servers and JVMs

To install the cert:

  1. Change directory to your truststore's location (where the cacerts file is located)
  2. Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
  3. Type yes at the prompt to "Trust this certificate?"

Note: *your_cert_alias_name* I used above can be whatever you want
Note: *C:\wherever_you_saved_the_file\cert_file.cer* change these values to whatever you use for the server folder and certificate file name

To verify the cert:

  1. Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit

Note: *your_cert_alias_name* use the same name here that you used above to install the cert

Restart the ColdFusion service It will not read the updated cacerts file until you do this.

You can delete the imported certificate file from the server if you wish.

Related questions

How to POST JSON Data to Remote API Using Coldfusion CFHTTP

I'm sure that I'm completely botching this up but I got this far with the help of fellow Stack Overflow users, so thanks thus far. I need to POST JSON data to a remote API. Obviously I can't use jQuery …

Read More
ColdFusion CFHTTP I/O Exception: peer not authenticated - even after adding certs to Keystore

I'm currently working with a payment processor. I can browse to the payment URL from our server, so it's not a firewall issue, but when I try to use CFHTTP I get a I/O Exception: peer not authenticated. I've …

Read More
The request has exceeded the allowable time limit Tag: cfhttp

I am facing this issue on a daily basis. I am having an application which Catches the huge data from various applications in the nightly schedule jobs through a cfhhtp call/request. The problem here is that it calls the …

Read More