3

I’m a long-time reader here but a newbie at posting a question. Hopefully I’ll cover everything you guys need to hopefully help.

Background information: We are running ColdFusion 10 on two servers that are load balanced (I’m not sure how they are load balanced – they are not clustered and are not using sticky sessions, this much I know). Unfortunately, I do not have access to our CF server admin at all; I have to rely on others.

I’ve implemented a punch out system that allows our users to connect to a vendor’s site to shop, then returns their items to our cart on our site. This has been working in our development servers without any issues. Everything worked well when we tested this in production as well. However, when we moved it into production last week, we started getting an error, but only when the code was running off of ONE of the load balanced servers. The error we received back from the vendor site stated that the error detail was: “I/O Exception: Server Key”. All of the research I conducted led me to believe that our CF servers needed the vendors cert (it is an https connection), so I told this to our server guy. He reinstalled the certs (he had said that they were there) and that did seem to solve the problem. I was successfully able to punch out to our vendor site from both of our load balanced servers.

We did a bit more testing (which all seemed fine) and then put it back into production this morning only to have the same issue occur. On one of the servers, this is working and on the other one it is not. My server guy tells me that the vendor certs are currently in place in the ColdFusion keystore.

Here is the cfhttp call I’m using:

<cfhttp url="#vendorURL#" method="POST" throwOnError="no" result="returnedObj"> 
  <cfhttpparam type="XML" name="xmlPunchoutData" value="#trim(RequestPunchoutXML)#"  />
</cfhttp>

Where ‘RequestPunchoutXML’ has a xml structure requesting a punch out from the vendor.

This looks possibly related: ColdFusion 10 - CFHTTP - Random peer not authenticated on SSL calls (cacerts file updated) but the error I'm getting isn't this one, though I think that they are probably related.

Questions: Any idea what is going on here? Could a badly set up load balancer be the issue here? Is it possible that the cfhttp call is starting from one of the servers and getting the response returned to the other? Could there be some reason that the certs are failing? Is this some other issue altogether that I have not yet identified? Any thoughts/ideas/suggestions would be greatly helpful.

Thanks in advance,

Janice

Community
  • 1
  • 1
Janice
  • 31
  • 1
  • Have you reached out to the vendor to get their take? That's where I would probably start in a situation like this. – Brian FitzGerald Mar 07 '16 at 20:01
  • Thanks Brian. I have without any real success. I found this: http://www.raymondcamden.com/2011/01/12/Diagnosing-a-CFHTTP-issue-peer-not-authenticated/ and we're trying the java code workaround talked about here. This code has us removing the JsafeJCE security provider. It does seem to be working again, but I wonder at the security implications of doing this. Any thoughts on that? – Janice Mar 08 '16 at 17:04
  • Oh no, my arch nemesis back again to haunt me. You'll see me in that comment thread 5 years ago struggling with that exact issue because the 3rd party API I was using was sending back the "peer not authenticated message" - a real nightmare caused by an issue with the "security provider" that ColdFusion uses in enterprise (and developer) editions. I think what I ended up doing was putting in a patch like you did and eventually migrating away from that API provider (and from CF to Lucee). Unfortunately I don't know enough about Java to know what the security implications of that workaround are. – Brian FitzGerald Mar 08 '16 at 18:53

0 Answers0