portal entry

Thanks for posting David! I'm encouraged to see you using Ubuntu in your stack for both SQL and Coldfusion. More to the point, we use cfdocument extensively and we are running into issues with connectivity with graphics across our secure servers and chttp suffers the same connectivity issue in our instance. So, your post has tweaked my attention. I suspect we need to import some certificates into the trust to complete our connections successfully.

Comment by jBrodeur

I'm happy it helped!  (Even if it wasn't directly!)

Comment by David Byers

<p>David (and to commenter jBrodeur), be aware of a couple of things.</p><p>First, let me offer an important clarification on David’s showing WHERE to put the cert. (I realize he admits to being new to this topic, so I'm just expanding in his post and protecting the unsuspecting.)</p><p>As for where to do the import, note that you need to put the cert in the /lib/security/cacerts of wherever cf is naming its jvm to be. It may not be the one cf installed (the cf_root referenced above) , as so many resources show (including from Adobe). If someone has changed cf to use a new jvm, then your cf admin jvm page will show it pointing elsewhere, and you need to import the cert in the /lib/security/cacerts there instead. (And when you may change jvm’s in the future, don’t forget to bring the certs along, if still needed.) That leads to the second point.</p><p>Note as well that sometimes a cert import is NOT needed, to fix cfhttp and related problems. You may simply need to update the jvm that cf is using. For more, see my post:</p><p><a href="https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/">https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/</a></p><p>I realize that in David’s listed situation he seems confident he DID need to import a cert, for a particularly secured site. I’m just noting that for some folks who get errors on https calls out of cf (including perhaps jBrodeur), a cert import is not really what’s needed. Indeed, some folks have been importing certs as they DID move to new jvm's (see above) when in fact the cert was no longer really needed. </p><p>Hope that’s helpful. Thanks as always, David, for what you do share.</p>

Comment by Charlie Arehart

Excellent additional content Charlie.  Thanks for the input!  

Comment by David Byers

I'm working in an environment where I do not have root control of the CF Server as it is administered by an IT team in another city.    I've discovered connection failure's throughout the CF administrator logs due to some scheduled processes failing.   I think it's related to the CFHTTP tag pulling on ssl pages.   I've seen this many times at other organizations that I've worked for and have updated the cacerts on those servers not always with the desired outcome.   It's one thing to just install a new cert but how do we test the cert or the jvm to simply find out what we have currently installed so that we can compare it to the current version in use out there?   Any direct instructions or ideas?

Comment by dotcomdguy

That's a great question, and I don't have an immediate answer to it.  For me there wasn't any "testing" required since... well... it <em>wasn't</em> connecting before I installed the cert and it <em>was</em> connecting afterwards.  Sorry I couldn't be more help.

Comment by David Byers

<p>Guys, see my comment below from July for a different perspective on/alternative to cacert updates.</p>

Comment by Charlie Arehart