coldfusionssl-certificatecfhttp

CFHTTP unable to find valid certification path to requested target

I'm looking to scrape data off a website, other https sites work and this was working last week but now fails

<cfhttp url="https://www.cliftoncameras.co.uk/all-brands-and-types-of-used-cameras/"></cfhttp>

If I run a dump of cfhttp

Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have tried running with the latest JRE version 12 - no change

https://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html

Reverted back to CF original JRE, downloaded the target SSL certificate and installed it using the keytool - no change

c:\ColdFusion2018\jre\bin\keytool -import -keystore cacerts -alias cliftoncameras -file c:\ColdFusion2018\jre\lib\security\cliftoncameras.cer

I changed the websocket in the CFAdmin to proxy - no change

I did restart the CF Application Server each time.

What else can I do?

Solution

  • On my development platform I added

    -Dcom.sun.security.enableAIAcaIssuers=true

    To the java.args in the file in ColdFusion2018\cfusion\bin\jvm.config

    Then restarted the CF Application Server, and now my CFHTTP call is successful.

    Thanks to @agreax for this solution

    Thanks to @sevroberts who's answer was probably the correct one, even though I couldn't get it to work. The production host installed the SSL certificate to the keystore and successfully resolved it this way. They said:

    If you use FireFox browser and click on the lock icon when browsing the URL you are wanting to have the cfhttp request access you can then get the more info and click the View Certificate option. You will need to download the PEM (cert) not the Chain. Once downloaded, you need to run the keytool in order to import it to the keystore.

    If you are using the default JRE within your JVM for ColdFusion you will need to install a JDK to your development machine. You can see the details and steps we have listed on our wiki regarding the commands from the command prompt to import the SSL into the store. https://wiki.hostek.com/ColdFusion_Tips_%26_Tricks#Fixing_cfhttp_Connection_Failures_with_Keytool

    Thanks to @alexbaban his workaround, whilst it worked, it was a solution I could not implement due to requiring the use of the tag cfexecute.