Error: Calling out of CF via https, solved by updating JVM

June 7, 2019
ColdFusion troubleshooter
Legend 45 posts
Followers: 45 people
2

Error: Calling out of CF via https, solved by updating JVM

ColdFusion troubleshooter
Legend 45 posts
Followers: 45 people
June 7, 2019

I had a client present to me that they were getting the following error in CF, when trying to do a cfhttp call to an https URL:

I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

They had found various blog posts (from years gone by) suggesting a need to import new SSL certificates into CF using the Java keytool command. That may well have been needed in the past (or may be needed still in some unique cases), but in their case the solution was much simpler, and it could benefit many readers to hear this:

They just needed to update their JVM (that CF was using).

Let me explain.

In their case, they were running on ColdFusion 11 as I said, but this could happen with other CF versions. They key point was that in their case, they had not updated CF to use a more recent Java version, so they were on the original JVM that came out with CF 11, Java 1.8.0_25. To put things in perspective, as of this writing, the latest Java 8 version is is 1.8.0_212. That update 25 was from the time when CF11 came out–in 2014. No wonder it may have expired certificates and root certs!

So all we did was update to Java 8 update 212, and that solved his problem. I suspect that even slightly older Java 8 versions could solve it as well, though it’s generally best to be on the latest available update of the Java version supported by your version of CF.

I talked about this particular 212 update, when it came out in April. And in that post I also discussed some other typical questions you may have as you read this suggestion above, like:

  • where to download the latest Java updates, from Adobe (and why)
  • where to find more about HOW TO update the JVM CF that uses
  • what versions of CF support what versions of Java, including Java 11
  • how to recover if you make a mistake trying to update the JVM CF that uses

Whether you’ll be updating to that version of Java or not, check out that other post for answers to those and some other common questions about updating the JVM that CF users.

My goal here was just to get the word out that for THAT error (and perhaps other failures to call out of CF to https pages), you may not need to bother importing certs. You may just need to update the JVM. It’s worth a shot. And you can easily revert back to the previous JVM version, if you follow best practices in updating the JVM that CF users, as discussed in resources I point out in that other post.

Finally, I want to note that one of the resources my client had found (which focused on importing a new cert) was this blog post from the venerable hass.de site. He did mention in passing that “an update to latest Java sometimes also help, too.” That would be easy to miss amid all else in the post. And perhaps it had not helped him then, but it worked for my client and I hope it may for some of my readers.

One reason I point this out here is that sadly that hass.de site no longer allows comments, so I couldn’t add this clarification there. (I get it that more and more sites are not permitting comments. I see the pros AND cons.)

Hope this may help some readers.


For more blog posts from Charlie Arehart, see his posts here as well as his posts at carehart.org. And follow him on Twitter and other social media as carehart.

Comments (2)
2019-06-09 23:45:31
2019-06-09 23:45:31

Hi Charlie,

thanks you for your article. You speak of “some unique cases”. I’d say it depend’s on when you get the exception. If you try to connect to some internal server it likely is the case that the cert is not created by some trusted autority and needs to be imported. If you try to access a public facing website and get the exception, it likely uses some recent cert that was not part of your original Java install.

Like
(2)
(1)
>
Bernhard Döbler
's comment
2019-06-10 00:07:25
2019-06-10 00:07:25
>
Bernhard Döbler
's comment

Right, thanks Bernhard. I was torn about elaborating on the other cases. Fair point that that’s the most likely one.

I figured that for anyone who might find this jvm update alone didn’t help, they’d easily find other discussions of importing certs.

I will add that those who do that should beware that IF someone has indeed already changed the jvm CF uses, they need to be sure to import the cert into the lib/security /cacerts of THAT jvm, not the one in CF’s jre/lib–as most resources would presume to tell folks.

Like
Add your comment