Error: Calling out of CF via https, solved by updating JVM
If you’re getting errors in calling out to https urls from CF, you may not need to “import new certificates”. You may merely need to update the JVM that CF uses.
I had a client present to me that they were getting the following error in CF, when trying to do a cfhttp call to an https URL:
I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
They had found various blog posts (from years gone by) suggesting a need to import new SSL certificates into CF using the Java keytool command. That may well have been needed in the past (or may be needed still in some unique cases), but in their case the solution was much simpler, and it could benefit many readers to hear this:
They just needed to update their JVM (that CF was using).
Let me explain.
In their case, they were running on ColdFusion 11 as I said, but this could happen with other CF versions. They key point was that in their case, they had not updated CF to use a more recent Java version, so they were on the original JVM that came out with CF 11, Java 1.8.0_25. To put things in perspective, as of this writing, the latest Java 8 version is is 1.8.0_212. That update 25 was from the time when CF11 came out–in 2014. No wonder it may have expired certificates and root certs!
So all we did was update to Java 8 update 212, and that solved his problem. I suspect that even slightly older Java 8 versions could solve it as well, though it’s generally best to be on the latest available update of the Java version supported by your version of CF.
I talked about this particular 212 update, when it came out in April. And in that post I also discussed some other typical questions you may have as you read this suggestion above, like:
- where to download the latest Java updates, from Adobe (and why)
- where to find more about HOW TO update the JVM CF that uses
- what versions of CF support what versions of Java, including Java 11
- how to recover if you make a mistake trying to update the JVM CF that uses
Whether you’ll be updating to that version of Java or not, check out that other post for answers to those and some other common questions about updating the JVM that CF users.
My goal here was just to get the word out that for THAT error (and perhaps other failures to call out of CF to https pages), you may not need to bother importing certs. You may just need to update the JVM. It’s worth a shot. And you can easily revert back to the previous JVM version, if you follow best practices in updating the JVM that CF users, as discussed in resources I point out in that other post.
Finally, I want to note that one of the resources my client had found (which focused on importing a new cert) was this blog post from the venerable hass.de site. He did mention in passing that “an update to latest Java sometimes also help, too.” That would be easy to miss amid all else in the post. And perhaps it had not helped him then, but it worked for my client and I hope it may for some of my readers.
One reason I point this out here is that sadly that hass.de site no longer allows comments, so I couldn’t add this clarification there. (I get it that more and more sites are not permitting comments. I see the pros AND cons.)
Hope this may help some readers.