May 18, 2007

Making Coldfusion Play Nice with Go Daddy Certs

Posted by: Jon Clausen

The other day we ran into an unexpected bug on a client site using CFHTTP post process that has been running for over 6 months. Dumping the CFHTTP response gave me this:

struct
Charset [empty string]
ErrorDetail I/O Exception: peer not authenticated
Filecontent Connection Failure
Header [undefined struct element]
Mimetype Unable to determine MIME type of file.
Responseheader
struct [empty]

Having never seen the "I/O Exception: peer not authenticated" message before, a bit of Googling, revealed that this particular error is commonly encountered when there is a failure while using CFHTTP and SSL.

It turns out the third-party had recently renewed their SSL cert and had made a change from Verisign to Go Daddy® as their cert provider. Go Daddy®, however is not recognized by default as a trusted Certificate authority by the default JRE which ships with Coldfusion 7.0.2 or any of the current 1.4.2 versions which are supported for use with CF7. To fix the problem we had to add Go Daddy® as a trusted Certificate authority to the Java keystore.

There's quite a few tutorials on adding a certificate authority to the keystore, however for the sake of posterity here's the basic steps (You will, of course, need to change the paths and/or delimiters as appropriate to your machine):

  1. Like other big Certificate issuers, Go Daddy® offers several types of certs. The ".crt" files can be downloaded by visiting http://certificates.godaddy.com/repository. In this case (and most others), the file required was for the Intermediate Certificate(gd_intermediate.crt). Once you download the .crt file, it's time to put it into an easily accessible directory on your server. Then fire up your favorite command line utility.
  2. From the command line CD to the Java home for your instance of Coldfusion. This path can be found on Windows and Linux servers in the Coldfusion MX7 administrator by clicking the "Java and JVM" link in the menu. In my case, it was : 
    $ cd /opt/coldfusionmx7/runtime/jre/
    Note that the "$" symbol should not be included in your commands. It is there to mark the beginning cursor position
  3. Once you are there, it's time to add the Go Daddy® as a trusted authority. In this case, we uploaded the .crt file from the previous step to the "/tmp/" directory on our webserver. To do so, the following commands are issued: 
    $ bin/keytool -import -trustcacerts -alias godaddy-cert -keystore lib/security/cacerts -file /tmp/gd_intermediate.crt
  4. The keytool will prompt you for a password which, unless you have changed it, defaults to "changeit". Enter the password and the process will complete.
  5. Last, restart Coldfusion and Go Daddy® will now be recognized as a trusted certificate issuing authority for SSL communications.

Despite any opinions of Go Daddy®- good, bad, or otherwise- they are in the SSL Certificate business to stay. If you are setting up a new server and plan to use CFHTTP with SSL, this might be a good step to add as part of your initial configuration.

 
Continuing the discussion ...
Comments
Thanks for the well-written post. However, it didn't work for me. After running this update and cycling CF (Win2k3 running IIS), then attempting to invoke a secure web service where the cert is at GoDaddy, I get a "peer not authenticated" error still. Our version of java is 1.4.2_11.

any advice would be greatly appreciated.

Ben Mueller's Gravatar Posted by: Ben Mueller - May 31, 2007 9:45 AM

Ben,

Sorry to hear it didn't work for you. Two things to check:

1) Did you use the keytool for the 1.4.2_11 version?

Each JRE maintains their own keystore. In the keytool command step if you just use "keytool" instead of bin/keytool after doing a cd to the java home for 1.4.2_11 it it will use the servers JRE version - likely 1.5*

2) Are you using the correct .crt file for the cert the client is using?

You can find this out by opening the URL for the SSL site in Firefox, double clicking on the lock icon and viewing the certificate.

On the details tab when viewing the certificate, highlight the domain name itself, not the CA information and look at the content under "Authority Information Access" you will see a field value like this which will provide the location of the .crt file:


Not Critical
OCSP: URI: http://ocsp.godaddy.com
CA Issuers: URI: http://certificates.godaddy.com/repository/gd_intermediate.crt


Hope that helps,

Jon

Jon's Gravatar Posted by: Jon - May 31, 2007 10:08 AM

Jon,

Thanks very much for the reply. And right you are, the problem is that I was trying to update the keystore of the JVM that ships with ColdFusion. Since we're running CFMX on top of a later version of java (1.4.2_11 in this case), I needed to update the keystore of *that* Java version. A silly little gotcha that I should have thought of. (I was using the correct cert all along).

A few questions/comments:

* Windows wanted to change the certificate extension from ".crt" to ".cer". That didn't seem to break anything.

* I assume that if I update to a later JVM version, I will probably need to run this process again, right?

* Does anybody know if CF8's JVM has GoDaddy as a cert authority?

Ben Mueller's Gravatar Posted by: Ben Mueller - May 31, 2007 11:10 AM

[* Windows wanted to change the certificate extension from ".crt" to ".cer". That didn't seem to break anything.]

- Hmm. That's odd. I'm not exactly sure why that is. I updated one of my Windows boxes recently and didn't find any issues with that.

[* I assume that if I update to a later JVM version, I will probably need to run this process again, right?]

- Yes, that will probably be the case

[* Does anybody know if CF8's JVM has GoDaddy as a cert authority? ]

- CF8 uses JVM 1.5 (at least in the current beta) so yes, Go Daddy is registered as a trusted cert authority for new installs of CF8.


Jon's Gravatar Posted by: Jon - May 31, 2007 11:22 AM

Just want to say thank you. I had this issue with VeriSign Class 3 certs, followed the instructions and everything was happy.

MUCH Appreciated!

Anthony's Gravatar Posted by: Anthony - Oct 05, 2007 11:42 AM

Hi everybody,

my application was running fine with cfmx 7 . and i have installed cf8 but the application is not working fine. after login some "ceritficate errors" is diplayed.
certificate is valid till 2009.
please help asap.

thank you very much

what could be the possible way to resolve the issues.

is there any issue with cf8 for ldap authentication or certificate ????

Priyank jain 's Gravatar Posted by: Priyank jain - Jan 25, 2008 5:21 AM

@Priyank - Are you speaking of a problem browsing your site on the server of of making CFHTTP requests to your server - as related to the above post? Could you provide a few more details?

Jon Clausen's Gravatar Posted by: Jon Clausen - Jan 26, 2008 8:55 AM

Post a Comment
Name

Email ( optional )

Your URL (optional)

Remember my information ?
Yes No
Subscribe to this comment thread ?
Yes No

Comments

Bold | Italic | Quote | Paragraph | Link | Link ( New Window )
Characters left :
Input the letter/number code in the image to verify you're a human and not a spammer.

Subscribe to this thread without commenting

Search

About The Author

Who 
The CFBLog/Blogfusion Crew

Recent Comments

  • Jon Clausen: <  @Jeff - It's been a couple of years now since...
    [View]
  • Rob: <  What problems do you have with the free FileM...
    [View]
  • Jeff Coughlin: <  For years I've used csdiff on the PC (absolut...
    [View]
  • Jon Clausen: <  @Priyank - Are you speaking of a problem brow...
    [View]
  • Priyank jain : <  Hi everybody,my application was running fine ...
    [View]
  • Jon Clausen: <  Hi Mike,I actually did when I wrote this post...
    [View]
  • Mike: <  Add it to the flicker account :-) http://www...
    [View]
  • Jon Clausen: <  Sana,The directory "jrunscripts" needs to be ...
    [View]
  • Sana: <  Options FollowSymLinksRewriteEngine on#Escape...
    [View]
  • Anthony: <  Just want to say thank you. I had this issue...
    [View]