SSLPeerUnverifiedException on Scheduled Tasks

[Andrew Dixon]

Hi All,

We have recently moved a site to run from SSL only and moved the scheduled tasks to be called from https instead of http, however they are all returning the following error in the scheduler.log file:

"ERROR","Thread-127","11/17/2014","14:16:00","","schedule task:[task name];peer not authenticated;javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)

at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)

at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)

at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)

at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)

at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)

at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)

at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)

at railo.commons.net.http.httpclient4.HTTPEngine4Impl._invoke(HTTPEngine4Impl.java:228)

at railo.commons.net.http.httpclient4.HTTPEngine4Impl.get(HTTPEngine4Impl.java:88)

at railo.commons.net.http.HTTPEngine.get(HTTPEngine.java:68)

at railo.runtime.schedule.ExecutionThread.execute(ExecutionThread.java:90)

at railo.runtime.schedule.ExecutionThread.run(ExecutionThread.java:40)

The certificate is valid and works fine everywhere else including on the server itself via programs like wget and elinks. We did some Googling and found the following blog post that goes through extracting a sites certificate and installing it in the cacerts keystore file in Java, which we have done:

http://blog.nerdability.com/2013/01/tech-how-to-fix-sslpeerunverifiedexcept.html

After doing this we restarted Tomcat / Railo from the command line but we are still getting this error.

The server is running:

Railo 4.2.1.000 final

Apache Tomcat/7.0.37

1.7.0_65 (Oracle Corporation) 64bit

Any other ideas?

Thanks.

Kind regards,

Andrew

http://about.me/andrew_dixon

[Nando Breiter]

Andrew,

1) Double-check to make sure the cert is installed in the java installation Railo is using 

2) Restart railo

3) I've had to resort the to following hack on CF9: 

http://forum.hostek.com/showthread.php?709-Fix-for-CFHTTP-Connection-Failures-over-HTTPS

No idea if it will help on Railo, but it worked for me.

Greetings!

Nando

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAG1WijVaEagmMR_b2HYZZjaxCLhbOuCRj2NAwW86urw34vhy0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Mark Drew]

Not sure if this will help but in the Railo SERVER administrator there is a section called SSL that you can go and put in a URL and view and install the certificates. 

Have you tried this too?

Mark Drew

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAGHrs%3D8vYZiz%2BqGrgowCKYORU9o9-i18Q6yzEbY0vc9CHjbOqw%40mail.gmail.com.

[Andrew Dixon]

Hi Mark,

Yes, just noticed that about 10 minutes ago and tried that but it doesn't appear to have made any difference either. 

Do you know what this section is even for? It doesn't seem to be explained as to what this is actually for anywhere.

Kind regards,

Andrew

http://about.me/andrew_dixon

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CABCX3a5XnHg10F-q-yaqkHeDLB3dbJv_9Pf17KrYkHYt_jKd%2Bg%40mail.gmail.com.

[Andrew Dixon]

Hi Nando,

Points 1 and 2 is what I already did and yes I have confirmed the certificate is in the cacerts files using the keytool program.

Point 3, I will take a look into this option, however it feels very hacky!!! :-)

Kind regards,

Andrew

http://about.me/andrew_dixon

On 17 November 2014 14:47, Nando Breiter <na...@aria-media.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAGHrs%3D8vYZiz%2BqGrgowCKYORU9o9-i18Q6yzEbY0vc9CHjbOqw%40mail.gmail.com.

[Nando Breiter]

Hi Andrew,

It looks hacky, but the background info is that removing JsafeJCE simply forces Java to use a security provider that works with CF. Again, no idea if it will work for you, but after weeks of mucking about, it's the only solution that worked for me in the end. 

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAG1WijVLXqwBaR5vz3DvMcvmOEbC9E%3Dpwhv38BiXRqFrfxVOOA%40mail.gmail.com.

[Mark Drew]

IT's so that you can do cfhttp calls to SSL sites AFAIK

MD

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAGHrs%3D_zZzTFAHsydAmZ_B3swk-VjZW1i6P7nBRjhh%2BQEt%3DEWg%40mail.gmail.com.

[Andrew Dixon]

Hi Mark,

After you have "installed" the certificate, should it list it on that page? I have clicked the install button but when I go back to the SSL certificates page it is just blank again, as it was first time I visited it.

Kind regards,

Andrew

http://about.me/andrew_dixon

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CABCX3a7%2BGkQ1ciovZG%3Dy6chDeAUbw10-bz%2BsY%3DVh98O1RQHgXg%40mail.gmail.com.

[Nando Breiter]

Andrew,

By the way, if you try my #3 suggestion, I'd really like to know if it works or not for you.

Nando

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CABCX3a7%2BGkQ1ciovZG%3Dy6chDeAUbw10-bz%2BsY%3DVh98O1RQHgXg%40mail.gmail.com.

[Mark Drew]

Yeah, after you install it it should be listed on that page. If it isn't ... permissions. 

MD

[Andrew Dixon]

Hi Nando,

Nope it didn't work.

Kind regards,

Andrew

http://about.me/andrew_dixon

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAGHrs%3D8Bc1LUkw1F1D-Dj9ksEvgRY%3DE_tmbQcBLKb5rf5ga15Q%40mail.gmail.com.

[Andrew Dixon]

Any ideas permissions to what?

Kind regards,

Andrew

http://about.me/andrew_dixon

--
Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---
You received this message because you are subscribed to the Google Groups "Railo" group.

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CABCX3a60jN8Tkco7WVQ8ErH8sKiSk0uVaWpV_7xjVMh5YBjjNw%40mail.gmail.com.

[Mark Drew]

Railo folder? Generally. I mean, just test it with a railo-express install and you will see if it lists and you can install the SSL certs, if yes, then you can track down the issue on the live machine you are using. 

MD

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAG1WijUTXtBOszkTmNmDcbh1GjxEjrte6fm0RhRwCo%2BEkd_1dg%40mail.gmail.com.

[Andrew Dixon]

Firstly, @mark I tried the SSL certificate thing on a fresh download of Railo Express as suggested and it does exactly the same, I input the address and click list and then install but when I go back to the page it is not there anymore.

Secondly this is getting really strange now... I put a test script on the server with the following in it:

<cfhttp url="[URL]" method="get">

<cfdump var="#cfhttp#">

and that works just fine, to exactly the same URL. Surely that makes no sense at all? If CFHTTP can read it ok, on the same server and site then surely it should to be able run as a scheduled task ok?

Kind regards,

Andrew

http://about.me/andrew_dixon

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CABCX3a73x1_-RQr0L501RkY%3D5dOjhjaaas1DA12P%2Bt_sRMNOWA%40mail.gmail.com.

[Andrew Dixon]

Ok, finally worked this out and now a feel like a right numpty, basically I had gone through and changed all the URL from "http" to "https" but I failed to notice the port number field below that defaults to "80", so of course it was connecting using:

https://www.domain.com:80/task.cfm

so connecting to port 80 and the SSL is therefore obviously not available. Worked it out after some Google searches found this Railo bug report from a year ago:

https://issues.jboss.org/browse/RAILO-2747 

Kind regards,

Andrew

http://about.me/andrew_dixon

[Michael Offner]

Yeah we are not really happy about the scheduled task interface in the admin, so overhaul would make sense.

George is moving some stuff out of the core to extension, that is something we should think of moving out of the core as well... 

Micha 

P.s. Moving out of the core does not mean it will not be present on any installation, it just mean it has a independent release cycle. For example George is moving all datasource drivers to extension, so you can update datasource driver version independent of the Railo core, you can even run different versions of the same driver in different contexts of the server. Same could be true for scheduled task, you could run version 1.0 in context A, but version 2.0 in context B.

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAG1WijXf94zHoa%2BzriocU0XNUxYeQokGrQ%3DhJkgKzA1JNxBRjg%40mail.gmail.com.

[Jean Moniatte]

George is Railo 5 ?

Thanks,

Jean

--

Jean Moniatte

UGAL

je...@ugal.com

http://www.ugal.com

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CANAvBWXypDPS6gM2X14tpXg127GNCHcE%3Dmwg-V3SJy31BJWaig%40mail.gmail.com.

[Igal @ getRailo.org]

"George" is the code name for the next major release, which is a more "industry-standard" way of referring to new versions before they are ready to be released.

To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAG-7QUv8btxdzJGxXabPfUJxo2QDQx%3DfaPqCgr_HPVWY%2B96GEw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

-- 
Igal Sapir
Railo Core Developer
http://getRailo.org/

[Pete Freitag]

On Mon, Nov 17, 2014 at 9:47 AM, Nando Breiter <na...@aria-media.com> wrote:

3) I've had to resort the to following hack on CF9: 

http://forum.hostek.com/showthread.php?709-Fix-for-CFHTTP-Connection-Failures-over-HTTPS

No idea if it will help on Railo, but it worked for me.

That "fix" will not work on railo, the RSA BSafe CryptoJ JCE provider is a third party crypto engine that Adobe CF ships with the enterprise editions to provide FIPS certified crypto implementations. Since Railo does not include it, removing the provider has no effect unless you bought it from RSA, and explicitly added it to your server.

[ADK]

any idea when we may be able to "meet" George? He sounds very interesting!

[Charles Robertson]

Pete. I know this is an old post, but I am having a similar problem with Lucee 4.5. Tomorrow, I am going to attempt to replace the .jar files in Railo/jdk/jre/lib/security with the JSafeJCE jars, which is what CF11 now uses. I am having a problem with PayPals OAuth2 endpoint. PayPal have just updated their Verisign G4 certificate for G5. I have imported this into the cacerts but I still get a handshake error. PayPal also advise that more powerful ciphers are required, so I will attempt the security provider update tomorrow on Lucee 4.5 to try & resolve this. My local ACF11 installation works, so I am hoping that by using the same security providers, I will be successful with my remote Lucee installation...

[ad...@establishmindfulness.com]

Local solution:

Just to let everyone know, once I installed CF11, the PayPal token was issued without a problem.

Obviously, the CF11 cacerts and security providers are compatible.

Remote solution:

To get this to work on Railo, you need to do a clean install of Lucee 4.5.

DO NOT UPDATE FROM RAILO 4.2+ TO LUCEE 4.5+ BY MOVING & REPLACING .JARs.

I repeat you need to carry out a clean install of Lucee 4.5.

I then came across an issue with the BonCode adapter.

If you get the following error from IIS:

IIS Handler "BonCode-Tomcat-CFM-Handler" has a bad module

Check your IIS Application Pools. In the Application Pool, click on "Basic Settings" on the panel to the right. If the .NET Version is 2.0.0 change it to 4.X and save the change.

Tip:

Make sure your web.config file has the following setting to view this error:

<configuration>
<system.webServer>
<httpErrors errorMode="Detailed"/>
</system.webServer>
</configuration>

This should save you a week's work:)

Good luck all!

[ad...@establishmindfulness.com]

Thanks Pete for this answer.

I actually tried this fix, without success and a similar one suggested by Raymond Camden:

http://www.raymondcamden.com/2011/01/12/Diagnosing-a-CFHTTP-issue-peer-not-authenticated/

Infact, PayPal's new security policy requires JSafeJCE. CF10 update 17 & CF11 have a more extensive set of cyphers in the JSafeJCE suiite than previous versions. These are required for PayPal's RESTFUL API.

The only solution was to install CF11, as my CF10 updater kept throwing update installer errors.

On my remote server, I tried updating Railo 4.2+ to Lucee 4.5. The update was successful, but the JRE was not fully updated, but did not break the application server.
In the end, I tried a clean install of Lucee 4.5, and my PayPal connection was restored successfullly once more.

But, I guess different problems require slightly different solutions!

Cheers anyway for your help...

On Tuesday, November 18, 2014 at 3:57:49 PM UTC, Pete Freitag wrote:

[Peter Boughton]

> Thanks Pete for this answer.

Pete's reply was posted on the 18th November 2014. He has not posted on this mailing list in over ten months, and probably wont see anything you post.

He is, however, active on the Lucee mailing list: https://groups.google.com/group/lucee

The Lucee group is where people using Lucee should post for help with Lucee-related issues, (whether they are upgrading from Railo or not).

[Administrator]

OK. I see. It is strange because I was sent this reply [from Pete] notification, by Google, but I neglected to look at the reply date. I have been conversing with a cyber ghost!

--

Did you find this reply useful? Help the Railo community and add it to the Railo Server wiki at https://github.com/getrailo/railo/wiki
---

You received this message because you are subscribed to a topic in the Google Groups "Railo" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/railo/CAK%3DoSgjdAE9A7cu6CUudLMdZf6Pe82c_ggn8dMWt7N6PAJVTSw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Establish Mindfulness

E: ad...@establishmindfulness.com

U: app.establishmindfulness.com