Cannot open file:/opt/lucee/tomcat/lucee-server/context/security/cacerts [Keystore was tampered with, or password was incorrect]

This errors occurs when setting up an AWS RDS MySQL datasource in Lucee Administator. It occurs when the database is deleted and re-created. The endpoints stay the same, all AWS settings remain the same. If I use a fresh Lucee instance… it will setup a new connection just fine. Every time a database is recreated, Lucee will no longer make a db connection and gives the following error.

Cannot open file:/opt/lucee/tomcat/lucee-server/context/security/cacerts [Keystore was tampered with, or password was incorrect]

Any ideas on how to fix this?

1 Like

There might be a way to restart the JDBC connection you have with the database, but I’m not sure how you would do that.

Why not restart Lucee server when you delete and re-create the database?

I have restarted the server. It appears that once a datasource connection is made, that authorization or verification to the db domain is saved somewhere. When the database is deleted and recreated… for example, I changed from MySQL 5.6 to 5.7… it will not authorize anymore.

I’m able to go to a fresh install of Lucee and create a new datasource connection to the new database.

Even when I went from 5.7 back to 5.6… same thing… a previously connected Lucee will not connect to a new database.

Did you ever got passed this issue? I’m trying to create a db connection with lucee and mysql 8, but get the same error.

have you got a stack trace?

keystore-error-stacktrace.txt (7.9 KB)

This is the complete stacktrace from the error as logged in application.log (web-inf).
It implies that the keystore password authentication failed. Found that its default password is “changeit” and never changed it :thinking:.

file a bug in jira

I had this same issue the other day. It was because MySQL changed the authentication mechanism. I had to go with the “Legacy” authentication rather than the more “Secure” method they auto select on install. I can’t remember the exact terms used off the top of my head right now but if you re-install MySQL just pay attention to the steps and make sure to go with the older authentication method.

I just re-read your problem and it sounds like it is slightly different than the one I was experiencing but I was receiving the same error as you. A fresh Lucee install wasn’t working for me. Hope you get it figured out.

Hey, I experienced the same exact problem.

I got it fixed by manually adding the data-source to the lucee\tomcat\lucee-server\context\lucee-server.xml file Then restarted lucee and it was working. I’m on the cfml:lucee Slack channel if you have any questions.

1 Like

Thanks! This worked for me.

I just tried adding the datasource in application.cfc and providing a bunch of extra params found here, but that didn’t work.

I managed to add the datasource in de server.cfm interface by unchecking ‘verify connection’, and then as you suggested edited lucee-server.xml. The datasource will be defined there after it is added in the server.cfm interface, so all i had to do is add 2 values to the “custom” attribute:


restarted lucee and everything worked.

Thanks a lot!

1 Like

Hi Guys

Im am having (what i think is the same problem) with connecting Lucee datasource to MySQL 8.0…

I’m having to use windows 7(6.1) 64bit (I know not my choice)

I have aslo updated my lucee extensions and also downloaded the “Oracle 12c (release 1)” (tested before and after) because MySQL is an oracle product.

I have also gone to “lucee\tomcat\lucee-server\context\lucee-server.xml” and updated my datasource tag by adding


to the end of custom var within the tag shown below

<data-source allow="511" blob="false" class="com.mysql.cj.jdbc.Driver" clob="false" connectionTimeout="1" custom="useUnicode=true&amp;characterEncoding=UTF-8&amp;useLegacyDatetimeCode=true&amp;useSSL=false&amp;requireSSL=false" database="liquiddata" dbdriver="MySQL" dsn="jdbc:mysql://{host}:{port}/{database}" host="localhost" id="mysql" metaCacheTimeout="60000" name="liquiddata" param-delimiter="&amp;" param-leading-delimiter="?" param-separator="=" password="encrypted:f150b3e973a9532b35ef157bfc114a21af0295aa39447dba0c8bf9ecc991ab7d" port="3306" storage="false" username="root" validate="false"/></data-sources>

I apologise if i’m being an idiot and missing something obvious, any help would be greatly appreciated…

To clarify i am getting the error message “Cannot open file:/opt/lucee/tomcat/lucee-server/context/security/cacerts [Keystore was tampered with, or password was incorrect]”

I’ve also inputed the datasource without verifying, then manually edited the lucee-server.xml file restarted lucee without success.

Your edits to <data-source> seem good. Your error message is exactly the same as i got, and you’ve restarted. Your case looks a lot like what i had.

The only minor difference i can spot is that I’m not using mysql root user in the datasource. I had authentication issues before with mysql and root user, so it could be related, but it’s a long shot.

I also didn’t bother with an oracle download and running on ubuntu …

1 Like

Thank you Jan i’ll shall be trying this tomorrow and ill let you guys know how i get on. I think it’s probably old windows and i’m going to have to get my client onto a newer version…
Again thanks for looking at this.

Hi guys, I’ve seen this come up a number of times now in CFML Slack, here (obviously!) and in other Slack channels. I haven’t followed it super close but it sure sounds like something needs addressed in Lucee for this. I don’t see an issue in the JIRA tracker after searching for the error message. Can someone spearhead getting this into the Lucee issue tracker if there is indeed an issue here? For instance, turning off SSL may get it working as a workaround, but that sounds like work needs done in Lucee to support SSL correctly.

cc/ @Jon_Clausen

Just a quick note in case anyone else is hitting this…

I couldn’t get the work around to work until I deleted the datasource in Lucee admin, created it again and DID NOT click on Verify Connection. Just save it without verifying. I stopped lucee and then added the extra config (as noted in earlier comments) to lucee-server.xml. Restart lucee and verify from the main Services -Datasource page. Tested on Lucee 5.2.80 / MySQL 5.7.23

In other words do not verify when setting up the datasource in lucee admin.

I’m unclear about EXACTLY where to add the extra config in lucee-server.xml. Could I get some guidance please.

Running Lucee with Tomcat 8 and MySQL 8 (legacy authentication)
OK, working from gusjohnson’s input, I tried the following several times:

o deleted the data source from the Server Admin page
o created the data source from the Server Admin page without verification
o stopped the Lucee service
o edited the lucee-server.xml file and saved the file
o started the Lucee service
o from the Server Admin page, verified the data source

ERROR! - every time. Strangely, there is no output added to data source.log or any other log in the Lucee logs folder.

EDIT: testing with Lucee, Tomcat 8, MySQL 8 under CommandBox, I get a similar result of a verification error with no output to log files.

In lucee-server.xml look for the data source element for your database connection and then edit the custom attribute, ie append: &useSSL=false&requireSSL=false


hope that helps.

BTW we are using MySQL 5.7.14 with Lucee