Making Coldfusion Play Nice with Go Daddy Certs
Posted by: Jon ClausenThe other day we ran into an unexpected bug on a client site using CFHTTP post process that has been running for over 6 months. Dumping the CFHTTP response gave me this:
| struct | |||
|---|---|---|---|
| Charset | [empty string] | ||
| ErrorDetail | I/O Exception: peer not authenticated | ||
| Filecontent | Connection Failure | ||
| Header | [undefined struct element] | ||
| Mimetype | Unable to determine MIME type of file. | ||
| Responseheader |
| ||
Having never seen the "I/O Exception: peer not authenticated" message before, a bit of Googling, revealed that this particular error is commonly encountered when there is a failure while using CFHTTP and SSL.
It turns out the third-party had recently renewed their SSL cert and had made a change from Verisign to Go Daddy® as their cert provider. Go Daddy®, however is not recognized by default as a trusted Certificate authority by the default JRE which ships with Coldfusion 7.0.2 or any of the current 1.4.2 versions which are supported for use with CF7. To fix the problem we had to add Go Daddy® as a trusted Certificate authority to the Java keystore.
There's quite a few tutorials on adding a certificate authority to the keystore, however for the sake of posterity here's the basic steps (You will, of course, need to change the paths and/or delimiters as appropriate to your machine):
- Like other big Certificate issuers, Go Daddy® offers several types of certs. The ".crt" files can be downloaded by visiting http://certificates.godaddy.com/repository. In this case (and most others), the file required was for the Intermediate Certificate(gd_intermediate.crt). Once you download the .crt file, it's time to put it into an easily accessible directory on your server. Then fire up your favorite command line utility.
- From the command line CD to the Java home for your instance of Coldfusion. This path can be found on Windows and Linux servers in the Coldfusion MX7 administrator by clicking the "Java and JVM" link in the menu. In my case, it was :
$ cd /opt/coldfusionmx7/runtime/jre/
Note that the "$" symbol should not be included in your commands. It is there to mark the beginning cursor position - Once you are there, it's time to add the Go Daddy® as a trusted authority. In this case, we uploaded the .crt file from the previous step to the "/tmp/" directory on our webserver. To do so, the following commands are issued:
$ bin/keytool -import -trustcacerts -alias godaddy-cert -keystore lib/security/cacerts -file /tmp/gd_intermediate.crt
- The keytool will prompt you for a password which, unless you have changed it, defaults to "changeit". Enter the password and the process will complete.
- Last, restart Coldfusion and Go Daddy® will now be recognized as a trusted certificate issuing authority for SSL communications.
Despite any opinions of Go Daddy®- good, bad, or otherwise- they are in the SSL Certificate business to stay. If you are setting up a new server and plan to use CFHTTP with SSL, this might be a good step to add as part of your initial configuration.
Track with co.mments