0

For many months, my OAuth2 routine has been working perfectly. The OAuth2 routine creates new tokens so that I can carry out API operations.

Suddenly, a week ago, I started getting the following error:

Charset     [empty string]
ErrorDetail     I/O Exception: peer not authenticated
Filecontent     Connection Failure
Header  [empty string]
Mimetype    Unable to determine MIME type of file.
Responseheader  
struct [empty]
Statuscode  Connection Failure. Status code unavailable.
Text    YES

I am using Coldfusion 10 and I have not changed anything in my testing environment for several months, so the change must have come from PayPal's end.

I am using the following http call:

<cfset clientid = "***">
<cfset secret = "***">

<cfhttp method="post" url="https://api.sandbox.paypal.com/v1/oauth2/token" result="result">
<cfhttpparam type="header" name="Content_Type" value="application/json">
<cfhttpparam type="formfield" name="grant_type" value="client_credentials">
<cfhttpparam type="header" name="Authorization" value="Basic #ToBase64(clientid & ":" & secret)#">
</cfhttp>

Can anyone help me to solve how this problem?

Charles Robertson
  • 1,760
  • 16
  • 21
  • Update/Import the PayPal certificate into your JVM's keystore. The latest certificate is from 2nd September 2015. – Alex Feb 02 '16 at 18:49
  • @Alex Thanks for the advice. I imported both the latest Verisign Class 3 2048-bit G5 root certificate and the relevant sandbox endpoint certificate into cacerts, using keytool. Although I am not sure I needed to import the latter. I restarted CF and I still received the same error. I have spent days on this and I am a bit angry that PayPal have just made these changes without really notifying developers. I presume I am not the only CF developer that uses the PayPal RESTFUL API? – Charles Robertson Feb 03 '16 at 00:01
  • @Alex I actually renamed the Verisign alias because there was already a certificate with the same alias. Maybe I should remove the old Verisign Class 3 G5 and name the new certificate with the old alias. Do you think this will make any difference? – Charles Robertson Feb 03 '16 at 00:05
  • @Alex Could you give me the URL of the certificate you are talking about, just in case I imported the wrong one? – Charles Robertson Feb 03 '16 at 00:06
  • Do you have the latest ColdFusion Update installed? It added support for SNI, which might be the problem with the PayPal servers. Other than that: Make sure to import all of the certificates (incl. the chain) on the subdomains you are sending requests to. – Alex Feb 03 '16 at 10:58
  • @Alex I am using CF10, but I am on update 12 of 17. I am only sending requests to https://api.sandbox.paypal.com. I imported the latest verisign 2048 bit certificate, and I think this was updated recently by PayPal, even though the certificate name is the same since 2006: https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=SO5624 I will update CF10 to update 17, and let you know what happens? – Charles Robertson Feb 03 '16 at 13:58
  • 1
    @Alex Unfortunately, I cannot update CF10 beyond update 12 of 17, because I get an 'invalid signature' exception when trying to install the update. I am going to remove CF10 and install CF11. I use Railo on my production servers, so I should be able to update that without any problem. Interestingly, my ACF local & Railo remote had the same PayPal issue at the same time. I think this means that it is a certificate problem, unless Railo suffers from the SNI problem, as well, which would be a huge co-incidence... – Charles Robertson Feb 03 '16 at 14:25
  • @Alex Once I installed CF11, the PayPal token was issued without a problem. Obviously, the CF11 cacerts and security providers are compatible. But thanks for your help... – Charles Robertson Feb 03 '16 at 17:53

2 Answers2

2

Okay I had exactly the same issue with connecting to the new PayPal REST APIs and the reason behind the error is the migration from Verisign G2 Root certificate (which PayPal no longer supports) and the move to SHA-256 algorithm and Verisign G5 signed certificates.

The confusion comes in that Coldfusion 10 and Coldfusion 11 already have the cacerts in the ColdFusion Truststore so why is it still not working?

After hours of trying and searching, I discovered the certificate issue lies in the JRE folder, not ColdFusion. That quickly led me to upgrade ColdFusion to run on the latest version of Java JDK 1.8_101 (my test server was running on JVM 1.7 and the production server was on 1.8_25 (so I upgraded both and the code ran (which was similar to Charles code in the original post).

So here are the simple steps:

  1. Upgrade ColdFusion to the latest update from ColdFusion Administrator
  2. Install the latest Java JDK (currently 1.8_101) and remember where you install it
  3. Go back into ColdFusion Administrator and go to Java and JVM under Server Settings and point the JVM to the JRE folder in the new JDK e.g. /{JDK_home}/Contents/Home/jre folder and then restart ColdFusion.

The PayPal oAuth2.0 will work again! (At least it did for me). I hope this helps someone save hours of frustration and be reassured that the latest PayPal REST API does work with ColdFusion (even if they don't provide an example - I am working on submitting it to PayPal via Github shortly).

James Martin
  • 124
  • 1
  • 7
  • Thanks for this answer. I am sure you are right about the JDK version, but a clean install to the latest version of CF11, seemed to fix the issue for me. – Charles Robertson Oct 01 '16 at 11:21
  • 1
    Yes, a clean install can also fix the issue, but you lose all your configuration and settings, so simply upgrading the JDK or Server JRE is a solution for in production ColdFusion 10 or 11. – James Martin Oct 02 '16 at 20:57
0

Just to let everyone know, once I installed CF11, the PayPal token was issued without a problem. Obviously, the CF11 cacerts and security providers are compatible. Now, I must try and sort out Railo, which could be more difficult, as I am on Railo 4. I will try updating Railo to its most recent 4+ version...

Update:

To get this to work on Railo, you need to do a clean install of Lucee 4.5 [Railo 4.2 successor]. DO NOT UPDATE FROM RAILO TO LUCEE BY MOVING .JARs. I repeat you need to carry out a clean install of Lucee 4.5:

http://lucee.org/downloads.html

I then came across an issue with the BonCode adapter. If you get the following error from IIS:

IIS Handler "BonCode-Tomcat-CFM-Handler" has a bad module

Check your IIS Application Pools. In the Application Pool, click on "Basic Settings" on the panel to the right. If the .NET Version is 2.0.0 change it to 4.X and save the change.

TIP:

Make sure your web.config file has the following setting to view this error:

<configuration>
   <system.webServer>
      <httpErrors errorMode="Detailed"/>
   </system.webServer>
</configuration>

This should save you a week's work:)

Good luck all!

Charles Robertson
  • 1,760
  • 16
  • 21
  • We are using PayPal with CF 10 perfectly fine, so it's probably more of a environment related problem here. Btw. you might as well upgrade your Railo installation to Lucee (successor of Railo). – Alex Feb 03 '16 at 20:21
  • @Alex Yes. I am upgrading Railo 4.2 to Lucee 4.5 tomorrow. Hopefully, this will solve the PayPal issue on my remote server. I think you are correct about CF10, it was just that I was unable to install the updates, you mentioned. My only option was to install CF11... – Charles Robertson Feb 03 '16 at 21:13
  • The CF11 security provider list is much more extensive than the CF10 [update 12] version. I think that the CF10 update 13 - 17 probably add some items to this list. Better support for SHA-2 [2048]. I am pretty sure my certificates were solid... – Charles Robertson Feb 03 '16 at 21:28
  • @Alex I am in big trouble. I have updated Railo 4.2 to Lucee 4.5 [very easy by the way:)]. I have updated all the relevant certificates using keytool to cacerts. But I get the following error [using the thrownonerror cfhttp attribute]: Cause 
string javax.net.ssl.SSLHandshakeException url 
string https://api.sandbox.paypal.com/v1/oauth2/token Detail 
string ErrorCode 
string 0 Extended_Info 
string ExtendedInfo 
string Message 
string Received fatal alert: handshake_failure StackTrace 
string Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.jav – Charles Robertson Feb 04 '16 at 20:11
  • Helpppppppppppppppppppppppppp please. My business is going down the drain because of this crazy issue. Do PayPal realise that they are messing with people's livelihoods? I may have to buy CF11 Enterprise license for my production server, as I know it works with ACF. – Charles Robertson Feb 04 '16 at 20:15
  • @Alex This link seems to suggest that I need to update a couple of .jar files in the JRE\lib\security: http://stackoverflow.com/questions/30350120/sslhandshakeexception-while-connecting-to-a-https-site Do you know which .jar files and where do I get the updates. I could copy them from the ACF11 JRE directory, but this seems risky??? – Charles Robertson Feb 04 '16 at 20:39
  • 1
    Something with your JRE seems to be broken/outdated. Consider a clean reinstall of Lucee. You might want to check the Lucee channel on https://cfml.slack.com for further assistance. – Alex Feb 05 '16 at 00:44
  • @Alex Thanks. I have found out that I may need to copy the JSafeJCE .jar files into Lucee/jdk/jre/lib/security. This is the unlimited strength version. It is the same library that ACF11 uses. If this does not work, I will do a clean install of Lucee, as suggested. I have had a look at the Lucee security provider list and JSafeJCE is not in this list. In ACF11, it is the default provider and solved this issue locally. The battle continues... – Charles Robertson Feb 05 '16 at 00:51
  • http://www.shilpikhariwal.com/2012/04/cryptography-invalid-key-size-exception.html?m=1 – Charles Robertson Feb 05 '16 at 00:55
  • http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1087632.aspx Although I don't think it is actually necessary to edit the java.security file, which this article is suggesting. I have had a look at the ACF11 java.security file and there is no JSafeJCE entry, but it is the default security provider when reading the list programmatically. Unless ACF11 have a custom java.security file hiding somewhere... – Charles Robertson Feb 05 '16 at 01:06
  • @Alex Genius. Thanks for your advice. A clean install of Lucee 4.5 allowed PayPal to handshake again. Mind you I had a hell of a time trying to get the BonCode Adapter to work with IIS. I had to check my IIS Application Pools. In the Application Pool, I clicked on "Basic Settings" on the panel to the right. And changed the .NET Version from 2.0.0 change to 4.X. Plus I had to add another BonCode Handler Mapping for '*.cfml'. But finally all is good. Thanks again for your help. I will add this bit to the answer above... – Charles Robertson Feb 05 '16 at 15:17