21

I have an API that runs fine on one of my two web servers but not on the other one or on my local machine, instead I get a connection failure when I send https requests as part the login process.

The requests are very simple and works without a problem on one of the three servers it is being run on. The first one is as follows:

<cfhttp url="https://accounts.ea.com/connect/auth?response_type=code&client_id=EASFC-web&state=59c5a8f1c4e7a991c1da0b54504c38e45f4d8d78&redirect_uri=http%3A%2F%2Fwww.easports.com%2Ffifa%2Ffootball-club%2Flogin_check&locale=uk&scope=basic.identity+basic.persona+signin+offline " method="GET" result="Stage2" redirect="false">
    <cfhttpparam type="header" name="Accept" value="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" />
    <cfhttpparam type="header" name="Accept-Encoding" value="gzip, deflate" />
    <cfhttpparam type="header" name="Accept-Language" value="en-US, en;q=0.5" />
    <cfhttpparam type="header" name="Connection" value="keep-alive" />
    <cfhttpparam type="header" name="Host" value="accounts.ea.com" />
    <cfhttpparam type="header" name="User-Agent" value="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" />
</cfhttp>

I've had a look and this seems to be a common issue but this fix provided no joy.

I'm assuming there's some security setting that I am perhaps overlooking? I'm able to hit the page and login within the browser on my local machine if that helps.

Does anyone have any advice?

This is what is returned in a CFDUMP:

Debugging Information 
ColdFusion Server Developer 9,0,0,251028
Template    /CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
Time Stamp  09-Dec-13 11:40 AM
Locale  English (UK)
User Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Remote IP   127.0.0.1
Host Name   127.0.0.1
________________________________________
Execution Time
Total Time  Avg Time    Count   Template
608 ms  608 ms  1   C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
5 ms    5 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc | onRequestStart(/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\Application.cfc
1 ms    1 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Player.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Bid.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Club.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Connect.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\Search.cfc
0 ms    0 ms    1   CFC[ C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc | init([complex value]) ] from C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\cfcs\doLogin.cfc
4 ms        STARTUP, PARSING, COMPILING, LOADING, & SHUTDOWN
617 ms      TOTAL EXECUTION TIME
red = over 250 ms average execution time 
________________________________________
Scope Variables
CGI Variables:
AUTH_PASSWORD=
AUTH_TYPE=
AUTH_USER=
CERT_COOKIE=
CERT_FLAGS=
CERT_ISSUER=
CERT_KEYSIZE=
CERT_SECRETKEYSIZE=
CERT_SERIALNUMBER=
CERT_SERVER_ISSUER=
CERT_SERVER_SUBJECT=
CERT_SUBJECT=
CF_TEMPLATE_PATH=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
CONTENT_LENGTH=
CONTENT_TYPE=
CONTEXT_PATH=
GATEWAY_INTERFACE=
HTTPS=
HTTPS_KEYSIZE=
HTTPS_SECRETKEYSIZE=
HTTPS_SERVER_ISSUER=
HTTPS_SERVER_SUBJECT=
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_CONNECTION=keep-alive
HTTP_COOKIE=cf_debug_general=block; cf_debug_template_stack=block; CFID=15108; CFTOKEN=12249080; CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu; CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fdebugging%2Findex%2Ecfm
HTTP_HOST=127.0.0.1:8500
HTTP_REFERER=
HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
PATH_INFO=
PATH_TRANSLATED=C:\Services\web\wwwroot\CraigTest\FUT\FIFACPB\logInSearchAccount17.cfm
QUERY_STRING=reinit=1
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=127.0.0.1
REMOTE_USER=
REQUEST_METHOD=GET
SCRIPT_NAME=/CraigTest/FUT/FIFACPB/logInSearchAccount17.cfm
SERVER_NAME=127.0.0.1
SERVER_PORT=8500
SERVER_PORT_SECURE=0
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=
WEB_SERVER_API=
Cookie Variables:
CFADMIN_LASTPAGE_ADMIN=/CFIDE/administrator/debugging/index.cfm
CFAUTHORIZATION_cfadmin=YWRtaW4NRTg5NzE2OTdCODczMUI0MDVBM0UxRTZCMjI2N0I1MDA5M0QzQkE4MQ1jZmFkbWlu
CFID=15108
CFTOKEN=12249080
cf_debug_general=block
cf_debug_template_stack=block
Session Variables:
biddingaccountloggedin=0
biddingaccountloginattempts=0
cfid=15108
cftoken=12249080
mainaccountloggedin=0
mainaccountloginattempts=0
pricingaccountloggedin=0
pricingaccountloginattempts=0
searchaccount10loggedin=0
searchaccount10loginattempts=0
searchaccount11loggedin=0
searchaccount11loginattempts=0
searchaccount12loggedin=0
searchaccount12loginattempts=0
searchaccount13loggedin=0
searchaccount13loginattempts=0
searchaccount14loggedin=0
searchaccount14loginattempts=0
searchaccount15loggedin=0
searchaccount15loginattempts=0
searchaccount16loggedin=0
searchaccount16loginattempts=0
searchaccount17gamertag=ZappyShrimp8
searchaccount17loggedin=0
searchaccount17loginattempts=0
searchaccount18loggedin=0
searchaccount18loginattempts=0
searchaccount19loggedin=0
searchaccount19loginattempts=0
searchaccount1loggedin=0
searchaccount1loginattempts=0
searchaccount20loggedin=0
searchaccount20loginattempts=0
searchaccount21loggedin=0
searchaccount21loginattempts=0
searchaccount22loggedin=0
searchaccount22loginattempts=0
searchaccount23loggedin=0
searchaccount23loginattempts=0
searchaccount24loggedin=0
searchaccount24loginattempts=0
searchaccount25loggedin=0
searchaccount25loginattempts=0
searchaccount26loggedin=0
searchaccount26loginattempts=0
searchaccount27loggedin=0
searchaccount27loginattempts=0
searchaccount28loggedin=0
searchaccount28loginattempts=0
searchaccount29loggedin=0
searchaccount29loginattempts=0
searchaccount2loggedin=0
searchaccount2loginattempts=0
searchaccount30loggedin=0
searchaccount30loginattempts=0
searchaccount3loggedin=0
searchaccount3loginattempts=0
searchaccount4loggedin=0
searchaccount4loginattempts=0
searchaccount5loggedin=0
searchaccount5loginattempts=0
searchaccount6loggedin=0
searchaccount6loginattempts=0
searchaccount8loggedin=0
searchaccount8loginattempts=0
sessionid=FIFAAUTOBUYER_15108_12249080
urltoken=CFID=15108&CFTOKEN=12249080
URL Parameters:
reinit=1
Debug Rendering Time: 21 ms

CFDUMP STAGE2:

struct
Charset     [empty string]
ErrorDetail     I/O Exception: peer not authenticated
Filecontent     Connection Failure
Header  [empty string]
Mimetype    Unable to determine MIME type of file.
Responseheader  
struct [empty]
Statuscode  Connection Failure. Status code unavailable.
Text    YES
CPB07
  • 649
  • 2
  • 12
  • 23
  • try printing the http result variable using after http tag and post the stacktrace – Dungeon Hunter Dec 09 '13 at 11:28
  • seems like you are not having the CA certificate of the https url in trust store – Dungeon Hunter Dec 09 '13 at 11:29
  • How do I find the CA certificate from the https URL to add into the trust store @Sunny? – CPB07 Dec 09 '13 at 13:28
  • i couldn't see variable stage2 in dump output try dumping the variable like this after the http tag – Dungeon Hunter Dec 09 '13 at 13:46
  • Apologies @Sunny - Added cfdump of stage2 now – CPB07 Dec 09 '13 at 14:02
  • miguel has given pretty good explanation on how to set up the certificate you can follow them :) – Dungeon Hunter Dec 10 '13 at 08:15
  • I've set up the certificate but it still has not provided a solution :( – CPB07 Dec 10 '13 at 15:08
  • are you seeing any errors in the cfdump of the variable stage2 ? – Dungeon Hunter Dec 10 '13 at 18:25
  • @Sunny Everthing that is returned in the cfdump is above but no obvious errors. – CPB07 Dec 11 '13 at 09:48
  • Might or might not be related: We recently had the same issue on CF9 with calling the https twitter api. We saw that twitter had updated their certificate to a 3rd generation certificate on that exact same day. Coldfusion did download the new certificate, but didn't seem to use it to sign requests. We manually downloaded and installed the required certificates again to fix it. So the cause was the certificate update of the api. Could something similar have occurred? – jan Dec 12 '13 at 11:28
  • I've installed the certificate for EA again this morning but still no joy - also I've never had to install the certificate on the one server that the API was working on. Currently uninstalling CF9 on my local machine and gonna install CF10 see if it makes any difference. – CPB07 Dec 12 '13 at 11:30
  • Upgrading to CF10 has solved this issue and my API is working on my localmachine without any issues. – CPB07 Dec 18 '13 at 14:14

8 Answers8

26

If you are using cfhttp to connect via SSL (https) then the ColdFusion server definitely needs the certificate installed to successfully connect. Here is a previous answer that I gave on a similar issue:

Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.

The default truststore is the JRE's cacerts file. This file is typically located in the following places:

  • Server Configuration:

    cf_root/runtime/jre/lib/security/cacerts

  • Multiserver/J2EE on JRun 4 Configuration:

    jrun_root/jre/lib/security/cacerts

  • Sun JDK installation:

    jdk_root/jre/lib/security/cacerts

  • Consult documentation for other J2EE application servers and JVMs

In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.

  1. Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
  2. View the certificate by clicking on the lock icon and clicking view certificate
  3. Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
  4. Click on IE's Internet Options and click the Content tab
  5. Click the Certificates button
  6. Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
  7. Export using DER format

Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)

  1. Run cmd prompt as administrator on the ColdFusion server
  2. Make a backup of the original cacerts file in case you run into issues

The keytool is part of the Java SDK and can be found in the following places:

  • Server Configuration:

    cf_root/runtime/bin/keytool

  • Multiserver/J2EE on JRun 4 Configuration:

    jrun_root/jre/bin/keytool

  • Sun JDK installation:

    jdk_root/bin/keytool

  • Consult documentation for other J2EE application servers and JVMs

To install the cert:

  1. Change directory to your truststore's location (where the cacerts file is located)
  2. Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
  3. Type yes at the prompt to "Trust this certificate?"

Note: *your_cert_alias_name* I used above can be whatever you want
Note: *C:\wherever_you_saved_the_file\cert_file.cer* change these values to whatever you use for the server folder and certificate file name

To verify the cert:

  1. Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit

Note: *your_cert_alias_name* use the same name here that you used above to install the cert

Restart the ColdFusion service It will not read the updated cacerts file until you do this.

You can delete the imported certificate file from the server if you wish.

Miguel-F
  • 13,042
  • 5
  • 33
  • 55
  • Thanks for your advice but I'm still getting the connection failure message :( – CPB07 Dec 10 '13 at 11:22
  • Just a further note that I didn't import the certificate for the website on the server that it is working on so I don't know if that would suggest that something else is giving the issue? – CPB07 Dec 10 '13 at 11:46
  • 1
    @CPB07 - If you are communicating with the website over SSL then the certificate is required. You cannot communicate over HTTPS without it so I don't understand how the other server is working. Is it also using HTTPS? Could the certificate have already been imported? Is the certificate in use from a trusted authority like Verisign? If that is the case then you would not need to import the certificate as it is from a trusted authority (assuming your keystore is up to date with those). **You also have to be sure and import the certificate to the correct keystore on your server.** – Miguel-F Dec 10 '13 at 15:32
  • From the System Information in CF Admin the JVM home is C:\Services\web\runtime\jre and I used the keytool from within here to import the certificate. The other server is also using HTTPS yes but the cerficate has not already been imported. The certificate is for accounts.ea.com but I'm unsure if it's from Verisign or not. Is there a way I can check this @Miguel-F? – CPB07 Dec 10 '13 at 16:58
  • @CPB07 - Yes, you can view the certificate when you browse to their site in your browser (by clicking on the lock icon). It looks like it is a Verisign certificate so there might be something else going on here. I just browsed to the URL in your `cfhttp` tag and it requires authentication; an email address and password. I don't see you providing those in your code. You will need to check their api to see how they want those credentials passed to them. – Miguel-F Dec 10 '13 at 17:33
  • The email address and password are passed in the body of the 5th HTTP request (there are 14 in total to successfully log in) which is working on one of the servers no problem so the actual functionality for logging in to the API is working fine but there must be something different between the server which can run the login script fine and my local machine but I cannot for the life of me fathom what it is!! :( – CPB07 Dec 11 '13 at 09:47
  • The error that I see in the dump that you included above tells me that the login is not working - `ErrorDetail I/O Exception: peer not authenticated`. – Miguel-F Dec 11 '13 at 15:11
  • Yes that is the issue, the log in works on one of the servers but not on the others or my local machine. – CPB07 Dec 11 '13 at 16:51
  • 1
    Have you tried using Fiddler (https://fiddler2.com/) to see what the request looks like on the local machine when login works? Try comparing that to the parameters you're sending via cfhttp. – Russ Dec 17 '13 at 08:38
  • Your solution saved my life @Miguel-F , thank you so much. – Onur Oct 04 '18 at 08:46
  • @Miguel-F thanks a ton your solution worked perfectly for me. – Saurabh Misra Feb 17 '21 at 18:08
5

I don't have enough points to comment on @Miguel-F 's answer so I need to post this answer with my experience and further details...

After following directions to add the cert, CFHTTP still wasn't getting the https site for me. I found this post which finally helped me solve the issue. It describes adding SSL debug output to the coldfusion-out.log file, which specifies the exact download URL for the cert you're missing. The cert I was missing was for "Let's Encrypt" which appeared in the log file as:

accessLocation: URIName: http://cert.int-x3.letsencrypt.org/

I hit that URL and used the keytool to add the downloaded file to keystore. Voila! Sanity restored.

I both love and hate ColdFusion

Clark Baker
  • 81
  • 1
  • 3
4

There are a number of scenarios here that could present this message.

There are also a number of detailed blog posts and threads that could help you through investigating your issue.

1) DNS resolution issue -- ensure you can hit the endpoint url, or this error will be produced.

2) Ensure to set a user agent in the cfhttp request, servers easily can detect non-standard user agents and filter them out.

enter code here

3) Disable compression in the request. In cases where you are hitting some servers, this works. This can come up with some configurations of IIS. There are numerous sites with this example on the search and it has worked for me.

<cfhttp url="https://yourUrlHere.com" method="get">
    <cfhttpparam type="Header" name="Accept-Encoding" value="*"> 
    <cfhttpparam type="Header" name="TE" value="deflate;q=0">
</cfhttp>

Another header you can try to send depending on the http server on the other end is:

<cfhttpparam type="header" name="Accept-Encoding" Value="no-compression">

Source

4) If the issue is caused by an SSL certificate, you can manually add the certificates to your server. I prefer not to look in this direction if possible but you can search for it.

5) Another scenario of connecting to an https url is that there may be a need to disable the default certificate provider (there are many in Java and the default one may not fit what is needed). This does not impact security, only uses a different, equivalent library.

Source for Example 5

6) Last but not least, you may be falling prey to rewrite rules. I have not experienced this, but it looks interesting.

CFHTTP "Connection Failures" issues when using mod_rewrite

Jas Panesar
  • 6,599
  • 3
  • 34
  • 45
  • Point 5 worked me. Not sure if that has any other security implication. Any one got any idea? – nasaa Sep 14 '15 at 09:09
4

I had a server with Coldfusion 10 (using Java Version:1.7.0_15) and Windows Server 2008. I had added certificates for my API url. But I was getting error

Connection Failure: Status code unavailable.

Then I added the following config to Coldfusion JVM config in the Coldfusion Administrator and it started working.

-Dhttps.protocols=TLSv1.1,TLSv1.2
rrk
  • 14,861
  • 4
  • 25
  • 41
  • 1
    Most of the certificates are upgrading to tslv1.2 instead 1.1, so this has to be added in jvm config to work. Note: JRE version should be 1.7 or more for TSLV1.2 to work, if not then you have to upgrade jre, also make sure your CF is 11 or above, otherwise jre upgradation could be an issue. – Deepak Yadav Sep 22 '18 at 10:03
2

For those who may have landed here if they were having trouble using cfhttp and Google's recaptcha secure verify service (like I did), the post on this page regarding adding Google's security certificate to the JRE's cacerts file is essential.

What is also essential (and not easy to find) is to add

<cfhttpparam type="CGI" encoded="false" name="Content_Type" value="application/json; charset=utf-8">

to you cfhttp request. This will solve the error "Unable to determine content type. Invalid MIME." which also looks like a connection error. (adding to Jas' answer above)

Thanks to 12Robots over on Adobe's ColdFusion Communities forum for that one!

David Belanger
  • 46
  • 3
1

All the above will not work, if the server you are hitting requires TLS 1.2. This requires you to update your JVM to 1.8, which you can find more info on here:

http://blogs.coldfusion.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server

Neil
  • 13,042
  • 2
  • 26
  • 48
user7723273
  • 11
  • 1
0

Thanks David. I have added below 3 header tags and all good.

<cfhttpparam type="header" name="Content-Type" value="application/json" />
<cfhttpparam type="header" name="Accept-Encoding" Value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">

Thanks - Hitesh

Hitesh Patel
  • 143
  • 1
  • 9
0

I had a similar issue and @Miguel-F's answer worked perfectly for me.

The only thing that I'd like to add though is that it didn't work for me on the first try because the certificate that I actually downloaded from the browser was somehow replaced by a different one by my Kaspersky Antivirus. So adding that to the trust store did nothing.

On the second try, I downloaded the certificate from a different system that did not have that antivirus and adding that to the trust store solved the issue for me.

Saurabh Misra
  • 350
  • 4
  • 12