cfhttp and https Could not obtain server certificate chain (4th post)
802 views
Skip to first unread message
Stéphane MERLE
May 25, 2016, 3:38:51 AM5/25/16
to Lucee
Hi,
destination : plateforme.flinteractive.fr
I am again confronted with a "Connection Failure statuscode : Connection Failure. Status code unavailable. header :" over a https connexion.
I did first try to use the add certificate from within the lucee administrator with no luck : "Could not obtain server certificate chain"
I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform PEM >destination.crt
but add an error "verify error:num=20:unable to get local issuer certificate"
Then I downloaded the CA.crt file directly from STARTCOM : wget https://www.startssl.com/certs/ca.crt
and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform PEM >plateforme.flinteractive.fr.pem
and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore /opt/lucee/jdk/jre/jre/lib/security/cacerts -file ./plateforme.flinteractive.fr.pem -alias flinteractive -storepass changeit -noprompt
service lucee_ctl restart
but then it is still not working ...
I also tried to join the 2 certificates (CA and final) in one file and imported it with success but still not working ...
Is there a solution ???
Thanks for your help !
Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group ...
destination : plateforme.flinteractive.fr
I am again confronted with a "Connection Failure statuscode : Connection Failure. Status code unavailable. header :" over a https connexion.
I did first try to use the add certificate from within the lucee administrator with no luck : "Could not obtain server certificate chain"
I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform PEM >destination.crt
but add an error "verify error:num=20:unable to get local issuer certificate"
Then I downloaded the CA.crt file directly from STARTCOM : wget https://www.startssl.com/certs/ca.crt
and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform PEM >plateforme.flinteractive.fr.pem
and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore /opt/lucee/jdk/jre/jre/lib/security/cacerts -file ./plateforme.flinteractive.fr.pem -alias flinteractive -storepass changeit -noprompt
service lucee_ctl restart
but then it is still not working ...
I also tried to join the 2 certificates (CA and final) in one file and imported it with success but still not working ...
Is there a solution ???
Thanks for your help !
Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group ...
Nando Breiter
May 25, 2016, 4:02:55 AM5/25/16
to lu...@googlegroups.com
Stéphane,
I've seen all 4 of your posts.
Which web server are you using in front of Lucee (if any)?
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stéphane MERLE
May 25, 2016, 4:06:38 AM5/25/16
to Lucee
Le mercredi 25 mai 2016 10:02:55 UTC+2, Nando Breiter a écrit :
Stéphane,I've seen all 4 of your posts.
?? unbelivable .. I see only this one
Which web server are you using in front of Lucee (if any)?
I am using apache with mod_cfml
thanks for your help !
Stéphane
Nando Breiter
May 25, 2016, 4:29:09 AM5/25/16
to lu...@googlegroups.com
What I've done is to use a reverse proxy setup on Nginx in front of Lucee server, and installed the ssl certs on Nginx rather than on Lucee-Tomcat-Java. The configuration for that is simple and painless.
You might explore a similar approach using Apache, although I'm not well versed enough to advise you conclusively.
You can check a blog post I wrote here: https://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ - scroll down to where it says "However, the biggest advantage, to me, seems to be the ease of configuring strong SSL https security on Nginx."
Here's a guide to setting up SSL on Apache :
If you find you must install the certs on Java, then you have to ensure you install each cert in the chain to the JVM that Lucee is using, and you must repeat the installation every time you update the JVM.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com.
Stéphane MERLE
May 25, 2016, 7:44:10 AM5/25/16
to Lucee
Nando, we agree that my problem is with cfhttp calling external https domain that I do not manage ? (plateforme.flinteractive.fr)
not with any kind of certificats to install to have my domain to respond in httpS ...
Stéphane
not with any kind of certificats to install to have my domain to respond in httpS ...
Stéphane
Nando Breiter
May 25, 2016, 8:39:56 AM5/25/16
to lu...@googlegroups.com
Oh ... ok. Well now I understand ...
Not that helpful, but I see the same error on Lucee 5. All I can suggest is to make sure you are installing the certs to the same JVM location that Lucee is running on.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com.
Stéphane MERLE
May 26, 2016, 10:33:10 AM5/26/16
to Lucee
Le mercredi 25 mai 2016 14:39:56 UTC+2, Nando Breiter a écrit :
Oh ... ok. Well now I understand ...Not that helpful, but I see the same error on Lucee 5. All I can suggest is to make sure you are installing the certs to the same JVM location that Lucee is running on.
how can I make sure of it ?
Jordan Michaels
May 27, 2016, 6:03:15 AM5/27/16
to lu...@googlegroups.com
Hi Stéphane,
I just dealt with this on a Lucee 5 server and the admin import did not work for me either. In Lucee's defense on that, I might be having some other issues with openssl, so it may not be Lucee's fault.
WHat I did to get around it was add the crt the old fashioned way, which is basically what you were trying to do in your original post. I used openSSL to grab the cert from the site, copied and pasted the crt part into a file, then imported the cert in to the local jvm's keystore. This fixed my issue.
If you did a standard Lucee 5 installer build, then your command would look something like this:
$ cd /opt/lucee/jdk/jre
$ sudo ./bin/keytool -import -alias yoursite.viviotech.net -keystore ./jre/lib/security/cacerts -trustcacerts -file /path/to/yoursite.viviotech.net.crt
Hope this helps.
--
Kind regards,
Jordan Michaels
Vivio Technologies
>>>>>> <https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>> .
>> To post to this group, send email to lu...@googlegroups.com <javascript:>
>> .
>> <https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
I just dealt with this on a Lucee 5 server and the admin import did not work for me either. In Lucee's defense on that, I might be having some other issues with openssl, so it may not be Lucee's fault.
WHat I did to get around it was add the crt the old fashioned way, which is basically what you were trying to do in your original post. I used openSSL to grab the cert from the site, copied and pasted the crt part into a file, then imported the cert in to the local jvm's keystore. This fixed my issue.
If you did a standard Lucee 5 installer build, then your command would look something like this:
$ cd /opt/lucee/jdk/jre
$ sudo ./bin/keytool -import -alias yoursite.viviotech.net -keystore ./jre/lib/security/cacerts -trustcacerts -file /path/to/yoursite.viviotech.net.crt
Hope this helps.
--
Kind regards,
Jordan Michaels
Vivio Technologies
>>>>>> .
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>> Love Lucee? Become a supporter and be part of the Lucee project today!
>>>> - http://lucee.org/supporters/become-a-supporter.html
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Lucee" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to lucee+un...@googlegroups.com.
>>>> To post to this group, send email to lu...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>
>>>>>
>>>>> --
>>>> Love Lucee? Become a supporter and be part of the Lucee project today!
>>>> - http://lucee.org/supporters/become-a-supporter.html
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Lucee" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to lucee+un...@googlegroups.com.
>>>> To post to this group, send email to lu...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com
>>>> .
>>>>
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> Love Lucee? Become a supporter and be part of the Lucee project today! -
>> http://lucee.org/supporters/become-a-supporter.html
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Lucee" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to lucee+un...@googlegroups.com <javascript:>.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> Love Lucee? Become a supporter and be part of the Lucee project today! -
>> http://lucee.org/supporters/become-a-supporter.html
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Lucee" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> To post to this group, send email to lu...@googlegroups.com <javascript:>
>> .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com
>> <https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/359dfb56-0a9b-4535-aa45-a4c7af565096%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages