0

I'm running the developer edition of plain old ColdFusion 9. I'm attempting to cfhttp API calls to Shopify, but I am coming a cropper against the old: I/O Exception: peer not authenticated problem. I'm calling it using the "https" url.

//also tried without setting the port directly
variables.httpService = new http(username=trim(application.stDBVars.stShopify.sAPIKey),password=trim(application.stDBVars.stShopify.sPassword),method="POST",url="https://shopname-shop.myshopify.com/admin/webhooks.json",port=443);
variables.httpService.addParam(type="header",name="Content-Type",value="application/json");
variables.httpService.addParam(type="body",value="#variables.sJSON#");
writeDump(variables.httpService.send().getPrefix());

I've had this issue before when using another 3rd party API, but I solved that by following the instructions set out in the kb article for importing certificates in the keystore: http://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html

I've followed the advice again, and picked out the certificate to add to the keystore, but no matter how many times I add it, remove it, re-alias it, stop ColdFusion, start ColdFusion, restart the computer and perform voodoo I keep getting I/O Exception: peer not authenticated.

Is there a way to debug this to see if it's even attempting to use my certificate, whether in ColdFusion or Java?

Miguel-F
  • 13,450
  • 6
  • 38
  • 63
Jarede
  • 3,310
  • 4
  • 44
  • 68
  • 2
    Are you sure that you have added the certificate to the correct Java keystore? If you have ever updated the JVM for your ColdFusion server it may not be located in the default location anymore. [See a previous answer on how to install certificate](http://stackoverflow.com/a/19449937/1636917) – Miguel-F Jan 21 '14 at 13:27
  • Yep, i've added it to every single keystore on my pc. – Jarede Jan 21 '14 at 14:05
  • What happens when you navigate to the URL on the same machine? – Miguel-F Jan 21 '14 at 14:07
  • itdoes the `GET` version of the call, bringing me back json of all the webhooks I have created. Admittedly I am logged into my shopify account (using my standard shopify login rather than the API based login) – Jarede Jan 21 '14 at 14:11
  • Can you try your credentials in the cfhttp call and see if that works? – Miguel-F Jan 21 '14 at 14:13
  • tried that, still doesn't want to come out to play. – Jarede Jan 21 '14 at 14:23
  • Okay, back to the certificate and keystore. Be sure to export the correct certificate using Internet Explorer and browsing to the same URL you are attempting to connect to via cfhttp (see my previous link for details). You can see which keystore ColdFusion is using by viewing the _system information_ page of the ColdFusion administrator. The path to the current JVM will be displayed next to _Java Home_. You will want to add the certificate to the keystore located under that directory. After modifying the keystore you will need to stop and restart the ColdFusion service. – Miguel-F Jan 21 '14 at 14:27
  • Aye i've done all that... there's no actual way of seeing the certificate it's attempting to use – Jarede Jan 21 '14 at 15:16
  • See this similar post - http://stackoverflow.com/q/3515452/1636917 – Miguel-F Jan 21 '14 at 15:58
  • But that wouldn't attempt to use the same certificate would it? especially since i'm not running https. – Jarede Jan 21 '14 at 16:03
  • No, but what about watching the network traffic with a sniffer? – Miguel-F Jan 21 '14 at 17:35
  • @Miguel-F i think I saw something like that in my research of other questions, using something like Fiddler2. I wasn't quite sure how to capture the outgoing `cfhttp` with it since ina browser i'd be hittin something like http://localhost:82/something.cfm which contained the `cfhttp` – Jarede Jan 21 '14 at 17:40
  • Yes like Fiddler. it will capture normal ports like 80 and 443 by default. I'm sure it has settings for you to specify other ports as well. – Miguel-F Jan 21 '14 at 17:45
  • Would it be anything to do with the jrun-server.xml... I had a nose about in that and noticed some comments about uncommenting for SSL use... – Jarede Jan 21 '14 at 18:55
  • What is the JVM version of your CF9 server? – jk. Jan 21 '14 at 19:13

1 Answers1

0

I recently had the same issue on a CF9 box trying to connect to the Twitter api. Here is what solved it after consulting Pete Freitag:

Java updated the client certificates in Java 1.6.0_19 including Verisign certificates: http://www.oracle.com/technetwork/java/javase/6u19-141078.html so updating to a recent JVM I think may solve it.

Please note that if you install Java 1.7 you need to make sure that you have installed CF 9.0.1 cumulative hotfix 4 (which adds support for java 1.7). You can see if you have 9.0.1 CHF4 by looking in the {cfroot}/lib/updates folder and locating the file chf9010004.jar

After applying cumlative hotfix 4 the CF admin began throwing an error. The sites worked but the CF admin was down. I fixed that by:

Make sure the latest security hotfixes APSP13-19 and APSP13-27 are also applied, see http://helpx.adobe.com/security/products/coldfusion.html#version9 if the server had already applied a security hotfix that was released after cumulative hotfix 4, that might cause an issue.

You can probably avoid the CF admin issue by applying the security hotfixes first.

Here is the post I used to update the JVM:

Upgrading ColdFusion To Java 7

Community
  • 1
  • 1
jk.
  • 14,365
  • 4
  • 43
  • 58
  • Sigh, we're running 1.6.0_14 and i'm not sure we're in a position to take the time to upgrade the jvm. It's possible this answer is correct, but I won't know till I can take the time to try it. – Jarede Jan 22 '14 at 09:10
  • @Jarede We upgraded all the way to 1.7. Updating the JVM is not hard to do. If you have to apply any hotfixes or patches beforehand, it gets more involved. I spent a total of 2 hours updating the server. Also, I added a step that I took when the CF admin locked up on me during the update. – jk. Jan 22 '14 at 13:10
  • Aye, i'm just not the one who pulls that trigger unfortunately. downtime=badtime (rightly or wrongly). Since the certificates have been changed though, perhaps i could just fiddle with the keystore certificates – Jarede Jan 22 '14 at 14:15
  • @Jarede The server must be maintained. To do that, it will have to have some downtime. The server can't be left without critical patches no matter what you are trying to accomplish. It's a security issue. Whoever thinks the server can never come down even for critical updates is sadly putting the server at risk. I did my updates at night and early in the morning. I don't believe you are going to get anywhere updating the keystore certs. Good luck. – jk. Jan 22 '14 at 14:57
  • I came up against this problem again. It seems that it might be down to the fact that the developer edition od CF9 (at least the one we're on) works like the enterprise edition of CF9, and there appears to be a bug in the implementation of the BSafe CryptoJ libraries. @RaymondCamden has more info [Here](http://www.raymondcamden.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated) – Jarede Mar 31 '14 at 15:49