ColdFusion https connection failure

Asked 9/12, 2013 at 11:15 Answered 17/2, 2021 at 18:6

I have an API that runs fine on one of my two web servers but not on the other one or on my local machine, instead I get a connection failure when I send https requests as part the login process.

The requests are very simple and works without a problem on one of the three servers it is being run on. The first one is as follows:

<cfhttp url="https://accounts.ea.com/connect/auth?response_type=code&client_id=EASFC-web&state=59c5a8f1c4e7a991c1da0b54504c38e45f4d8d78&redirect_uri=http%3A%2F%2Fwww.easports.com%2Ffifa%2Ffootball-club%2Flogin_check&locale=uk&scope=basic.identity+basic.persona+signin+offline " method="GET" result="Stage2" redirect="false">
    <cfhttpparam type="header" name="Accept" value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" />
    <cfhttpparam type="header" name="Accept-Encoding" value="gzip, deflate" />
    <cfhttpparam type="header" name="Accept-Language" value="en-US, en;q=0.5" />
    <cfhttpparam type="header" name="Connection" value="keep-alive" />
    <cfhttpparam type="header" name="Host" value="accounts.ea.com" />
    <cfhttpparam type="header" name="User-Agent" value="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" />
</cfhttp>

I've had a look and this seems to be a common issue but this fix provided no joy.

I'm assuming there's some security setting that I am perhaps overlooking? I'm able to hit the page and login within the browser on my local machine if that helps.

Does anyone have any advice?

This is what is returned in a CFDUMP:

Debugging Information 
ColdFusion Server Developer 9,0,0,251028
Template    /CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
Time Stamp  09-Dec-13 11:40 AM
Locale  English (UK)
User Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Remote IP   127.0.0.1
Host Name   127.0.0.1
________________________________________
Execution Time
Total Time  Avg Time    Count   Template
608 ms  608 ms  1   C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
5 ms    5 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc | onRequestStart(/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc
1 ms    1 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc
4 ms        STARTUP, PARSING, COMPILING, LOADING, & SHUTDOWN
617 ms      TOTAL EXECUTION TIME
red = over 250 ms average execution time 
________________________________________
Scope Variables
CGI Variables:
AUTH_PASSWORD=
AUTH_TYPE=
AUTH_USER=
CERT_COOKIE=
CERT_FLAGS=
CERT_ISSUER=
CERT_KEYSIZE=
CERT_SECRETKEYSIZE=
CERT_SERIALNUMBER=
CERT_SERVER_ISSUER=
CERT_SERVER_SUBJECT=
CERT_SUBJECT=
CF_TEMPLATE_PATH=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
CONTENT_LENGTH=
CONTENT_TYPE=
CONTEXT_PATH=
GATEWAY_INTERFACE=
HTTPS=
HTTPS_KEYSIZE=
HTTPS_SECRETKEYSIZE=
HTTPS_SERVER_ISSUER=
HTTPS_SERVER_SUBJECT=
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_CONNECTION=keep-alive
HTTP_COOKIE=cf_debug_general=block; cf_debug_template_stack=block; CFID=15108; CFTOKEN=12249080; CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu; CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fdebugging%2Findex%2Ecfm
HTTP_HOST=127.0.0.1:8500
HTTP_REFERER=
HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
PATH_INFO=
PATH_TRANSLATED=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
QUERY_STRING=reinit=1
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=127.0.0.1
REMOTE_USER=
REQUEST_METHOD=GET
SCRIPT_NAME=/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
SERVER_NAME=127.0.0.1
SERVER_PORT=8500
SERVER_PORT_SECURE=0
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=
WEB_SERVER_API=
Cookie Variables:
CFADMIN_LASTPAGE_ADMIN=/CFIDE/administrator/debugging/index.cfm
CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu
CFID=15108
CFTOKEN=12249080
cf_debug_general=block
cf_debug_template_stack=block
Session Variables:
biddingaccountloggedin=0
biddingaccountloginattempts=0
cfid=15108
cftoken=12249080
mainaccountloggedin=0
mainaccountloginattempts=0
pricingaccountloggedin=0
pricingaccountloginattempts=0
searchaccount10loggedin=0
searchaccount10loginattempts=0
searchaccount11loggedin=0
searchaccount11loginattempts=0
searchaccount12loggedin=0
searchaccount12loginattempts=0
searchaccount13loggedin=0
searchaccount13loginattempts=0
searchaccount14loggedin=0
searchaccount14loginattempts=0
searchaccount15loggedin=0
searchaccount15loginattempts=0
searchaccount16loggedin=0
searchaccount16loginattempts=0
searchaccount17gamertag=ZappyShrimp8
searchaccount17loggedin=0
searchaccount17loginattempts=0
searchaccount18loggedin=0
searchaccount18loginattempts=0
searchaccount19loggedin=0
searchaccount19loginattempts=0
searchaccount1loggedin=0
searchaccount1loginattempts=0
searchaccount20loggedin=0
searchaccount20loginattempts=0
searchaccount21loggedin=0
searchaccount21loginattempts=0
searchaccount22loggedin=0
searchaccount22loginattempts=0
searchaccount23loggedin=0
searchaccount23loginattempts=0
searchaccount24loggedin=0
searchaccount24loginattempts=0
searchaccount25loggedin=0
searchaccount25loginattempts=0
searchaccount26loggedin=0
searchaccount26loginattempts=0
searchaccount27loggedin=0
searchaccount27loginattempts=0
searchaccount28loggedin=0
searchaccount28loginattempts=0
searchaccount29loggedin=0
searchaccount29loginattempts=0
searchaccount2loggedin=0
searchaccount2loginattempts=0
searchaccount30loggedin=0
searchaccount30loginattempts=0
searchaccount3loggedin=0
searchaccount3loginattempts=0
searchaccount4loggedin=0
searchaccount4loginattempts=0
searchaccount5loggedin=0
searchaccount5loginattempts=0
searchaccount6loggedin=0
searchaccount6loginattempts=0
searchaccount8loggedin=0
searchaccount8loginattempts=0
sessionid=FIFAAUTOBUYER_15108_12249080
urltoken=CFID=15108&CFTOKEN=12249080
URL Parameters:
reinit=1
Debug Rendering Time: 21 ms

CFDUMP STAGE2:

struct
Charset     [empty string]
ErrorDetail     I/O Exception: peer not authenticated
Filecontent     Connection Failure
Header  [empty string]
Mimetype    Unable to determine MIME type of file.
Responseheader  
struct [empty]
Statuscode  Connection Failure. Status code unavailable.
Text    YES

Fustigate answered 9/12, 2013 at 11:15 Comment(12)

try printing the http result variable using <cfdump var="#Stage2#" > after http tag and post the stacktrace – Brazilein 9/12, 2013 at 11:28

seems like you are not having the CA certificate of the https url in trust store – Brazilein 9/12, 2013 at 11:29

How do I find the CA certificate from the https URL to add into the trust store @Sunny? – Fustigate 9/12, 2013 at 13:28

i couldn't see variable stage2 in dump output try dumping the variable like this <cfdump var="#stage2#"> after the http tag – Brazilein 9/12, 2013 at 13:46

Apologies @Sunny - Added cfdump of stage2 now – Fustigate 9/12, 2013 at 14:2

miguel has given pretty good explanation on how to set up the certificate you can follow them :) – Brazilein 10/12, 2013 at 8:15

I've set up the certificate but it still has not provided a solution :( – Fustigate 10/12, 2013 at 15:8

are you seeing any errors in the cfdump of the variable stage2 ? – Brazilein 10/12, 2013 at 18:25

@Sunny Everthing that is returned in the cfdump is above but no obvious errors. – Fustigate 11/12, 2013 at 9:48

Might or might not be related: We recently had the same issue on CF9 with calling the https twitter api. We saw that twitter had updated their certificate to a 3rd generation certificate on that exact same day. Coldfusion did download the new certificate, but didn't seem to use it to sign requests. We manually downloaded and installed the required certificates again to fix it. So the cause was the certificate update of the api. Could something similar have occurred? – Transistor 12/12, 2013 at 11:28

I've installed the certificate for EA again this morning but still no joy - also I've never had to install the certificate on the one server that the API was working on. Currently uninstalling CF9 on my local machine and gonna install CF10 see if it makes any difference. – Fustigate 12/12, 2013 at 11:30

Upgrading to CF10 has solved this issue and my API is working on my localmachine without any issues. – Fustigate 18/12, 2013 at 14:14

If you are using cfhttp to connect via SSL (https) then the ColdFusion server definitely needs the certificate installed to successfully connect. Here is a previous answer that I gave on a similar issue:

Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.

The default truststore is the JRE's cacerts file. This file is typically located in the following places:

Server Configuration:

cf_root/runtime/jre/lib/security/cacerts

Multiserver/J2EE on JRun 4 Configuration:

jrun_root/jre/lib/security/cacerts

Sun JDK installation:

jdk_root/jre/lib/security/cacerts

Consult documentation for other J2EE application servers and JVMs

In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.

Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
View the certificate by clicking on the lock icon and clicking view certificate
Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
Click on IE's Internet Options and click the Content tab
Click the Certificates button
Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
Export using DER format

Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)

Run cmd prompt as administrator on the ColdFusion server
Make a backup of the original cacerts file in case you run into issues

The keytool is part of the Java SDK and can be found in the following places:

Server Configuration:

cf_root/runtime/bin/keytool

Multiserver/J2EE on JRun 4 Configuration:

jrun_root/jre/bin/keytool

Sun JDK installation:

jdk_root/bin/keytool

Consult documentation for other J2EE application servers and JVMs

To install the cert:

Change directory to your truststore's location (where the cacerts file is located)
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
Type yes at the prompt to "Trust this certificate?"

Note: *your_cert_alias_name* I used above can be whatever you want
Note: *C:\wherever_you_saved_the_file\cert_file.cer* change these values to whatever you use for the server folder and certificate file name

To verify the cert:

Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit

Note: *your_cert_alias_name* use the same name here that you used above to install the cert

Restart the ColdFusion service It will not read the updated cacerts file until you do this.

You can delete the imported certificate file from the server if you wish.

Sabo answered 9/12, 2013 at 16:38 Comment(11)

Thanks for your advice but I'm still getting the connection failure message :( – Fustigate 10/12, 2013 at 11:22

Just a further note that I didn't import the certificate for the website on the server that it is working on so I don't know if that would suggest that something else is giving the issue? – Fustigate 10/12, 2013 at 11:46

@Fustigate - If you are communicating with the website over SSL then the certificate is required. You cannot communicate over HTTPS without it so I don't understand how the other server is working. Is it also using HTTPS? Could the certificate have already been imported? Is the certificate in use from a trusted authority like Verisign? If that is the case then you would not need to import the certificate as it is from a trusted authority (assuming your keystore is up to date with those). You also have to be sure and import the certificate to the correct keystore on your server. – Sabo 10/12, 2013 at 15:32

From the System Information in CF Admin the JVM home is C:\Services\web\runtime\jre and I used the keytool from within here to import the certificate. The other server is also using HTTPS yes but the cerficate has not already been imported. The certificate is for accounts.ea.com but I'm unsure if it's from Verisign or not. Is there a way I can check this @Miguel-F? – Fustigate 10/12, 2013 at 16:58

@Fustigate - Yes, you can view the certificate when you browse to their site in your browser (by clicking on the lock icon). It looks like it is a Verisign certificate so there might be something else going on here. I just browsed to the URL in your cfhttp tag and it requires authentication; an email address and password. I don't see you providing those in your code. You will need to check their api to see how they want those credentials passed to them. – Sabo 10/12, 2013 at 17:33

The email address and password are passed in the body of the 5th HTTP request (there are 14 in total to successfully log in) which is working on one of the servers no problem so the actual functionality for logging in to the API is working fine but there must be something different between the server which can run the login script fine and my local machine but I cannot for the life of me fathom what it is!! :( – Fustigate 11/12, 2013 at 9:47

The error that I see in the dump that you included above tells me that the login is not working - ErrorDetail I/O Exception: peer not authenticated. – Sabo 11/12, 2013 at 15:11

Yes that is the issue, the log in works on one of the servers but not on the others or my local machine. – Fustigate 11/12, 2013 at 16:51

Have you tried using Fiddler (fiddler2.com) to see what the request looks like on the local machine when login works? Try comparing that to the parameters you're sending via cfhttp. – Kursk 17/12, 2013 at 8:38

Your solution saved my life @Sabo , thank you so much. – Tantivy 4/10, 2018 at 8:46

@Sabo thanks a ton your solution worked perfectly for me. – Tabular 17/2, 2021 at 18:8

I don't have enough points to comment on @Miguel-F 's answer so I need to post this answer with my experience and further details...

After following directions to add the cert, CFHTTP still wasn't getting the https site for me. I found this post which finally helped me solve the issue. It describes adding SSL debug output to the coldfusion-out.log file, which specifies the exact download URL for the cert you're missing. The cert I was missing was for "Let's Encrypt" which appeared in the log file as:

accessLocation: URIName: http://cert.int-x3.letsencrypt.org/

I hit that URL and used the keytool to add the downloaded file to keystore. Voila! Sanity restored.

I both love and hate ColdFusion

Ulm answered 30/11, 2017 at 14:54 Comment(1)

Yep, I have had to use that SSL debug output before as well. +1 to get you some more reputation. – Sabo 30/11, 2017 at 18:48

There are a number of scenarios here that could present this message.

There are also a number of detailed blog posts and threads that could help you through investigating your issue.

1) DNS resolution issue -- ensure you can hit the endpoint url, or this error will be produced.

2) Ensure to set a user agent in the cfhttp request, servers easily can detect non-standard user agents and filter them out.

enter code here

3) Disable compression in the request. In cases where you are hitting some servers, this works. This can come up with some configurations of IIS. There are numerous sites with this example on the search and it has worked for me.

<cfhttp url="https://yourUrlHere.com" method="get">
    <cfhttpparam type="Header" name="Accept-Encoding" value="*"> 
    <cfhttpparam type="Header" name="TE" value="deflate;q=0">
</cfhttp>

Another header you can try to send depending on the http server on the other end is:

<cfhttpparam type="header" name="Accept-Encoding" Value="no-compression">

Source

4) If the issue is caused by an SSL certificate, you can manually add the certificates to your server. I prefer not to look in this direction if possible but you can search for it.

5) Another scenario of connecting to an https url is that there may be a need to disable the default certificate provider (there are many in Java and the default one may not fit what is needed). This does not impact security, only uses a different, equivalent library.

Source for Example 5

6) Last but not least, you may be falling prey to rewrite rules. I have not experienced this, but it looks interesting.

CFHTTP "Connection Failures" issues when using mod_rewrite

Baltimore answered 18/6, 2014 at 1:43 Comment(1)

Point 5 worked me. Not sure if that has any other security implication. Any one got any idea? – Borgia 14/9, 2015 at 9:9

I had a server with Coldfusion 10 (using Java Version:1.7.0_15) and Windows Server 2008. I had added certificates for my API url. But I was getting error

Connection Failure: Status code unavailable.

Then I added the following config to Coldfusion JVM config in the Coldfusion Administrator and it started working.

-Dhttps.protocols=TLSv1.1,TLSv1.2

Caroncarotene answered 30/6, 2017 at 8:45 Comment(1)

Most of the certificates are upgrading to tslv1.2 instead 1.1, so this has to be added in jvm config to work. Note: JRE version should be 1.7 or more for TSLV1.2 to work, if not then you have to upgrade jre, also make sure your CF is 11 or above, otherwise jre upgradation could be an issue. – Roderic 22/9, 2018 at 10:3

For those who may have landed here if they were having trouble using cfhttp and Google's recaptcha secure verify service (like I did), the post on this page regarding adding Google's security certificate to the JRE's cacerts file is essential.

What is also essential (and not easy to find) is to add

<cfhttpparam type="CGI" encoded="false" name="Content_Type" value="application/json; charset=utf-8">

to you cfhttp request. This will solve the error "Unable to determine content type. Invalid MIME." which also looks like a connection error. (adding to Jas' answer above)

Thanks to 12Robots over on Adobe's ColdFusion Communities forum for that one!

Leggy answered 5/6, 2015 at 17:4 Comment(0)

All the above will not work, if the server you are hitting requires TLS 1.2. This requires you to update your JVM to 1.8, which you can find more info on here:

http://blogs.coldfusion.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server

Theodore answered 16/3, 2017 at 18:41 Comment(0)

Thanks David. I have added below 3 header tags and all good.

<cfhttpparam type="header" name="Content-Type" value="application/json" />
<cfhttpparam type="header" name="Accept-Encoding" Value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">

Thanks - Hitesh

Martines answered 6/11, 2019 at 4:31 Comment(0)

I had a similar issue and @Miguel-F's answer worked perfectly for me.

The only thing that I'd like to add though is that it didn't work for me on the first try because the certificate that I actually downloaded from the browser was somehow replaced by a different one by my Kaspersky Antivirus. So adding that to the trust store did nothing.

On the second try, I downloaded the certificate from a different system that did not have that antivirus and adding that to the trust store solved the issue for me.

Tabular answered 17/2, 2021 at 18:6 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags