Cfhttp and https Could not obtain server certificate chain (4th post)

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode : Connection
Failure. Status code unavailable. header :” over a https connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts |
openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect plateforme.flinteractive.fr:443
-showcerts | openssl x509 -outform PEM >plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file
./plateforme.flinteractive.fr.pem -alias flinteractive -storepass changeit
-noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file and
imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group …

Stéphane,

I’ve seen all 4 of your posts.

Which web server are you using in front of Lucee (if any)?

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamediaOn Wed, May 25, 2016 at 9:38 AM, Stéphane MERLE <@Stephane_MERLE> wrote:

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode : Connection
Failure. Status code unavailable. header :” over a https connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts |
openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect plateforme.flinteractive.fr:443
-showcerts | openssl x509 -outform PEM >plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file
./plateforme.flinteractive.fr.pem -alias flinteractive -storepass changeit
-noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file and
imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Stéphane,

I’ve seen all 4 of your posts.

?? unbelivable … I see only this one

Which web server are you using in front of Lucee (if any)?

I am using apache with mod_cfml

thanks for your help !

StéphaneLe mercredi 25 mai 2016 10:02:55 UTC+2, Nando Breiter a écrit :

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 9:38 AM, Stéphane MERLE <stephan...@gmail.com <javascript:>> wrote:

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode : Connection
Failure. Status code unavailable. header :” over a https connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts |
openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect plateforme.flinteractive.fr:443
-showcerts | openssl x509 -outform PEM >plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file
./plateforme.flinteractive.fr.pem -alias flinteractive -storepass changeit
-noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file and
imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

What I’ve done is to use a reverse proxy setup on Nginx in front of Lucee
server, and installed the ssl certs on Nginx rather than on
Lucee-Tomcat-Java. The configuration for that is simple and painless.

You might explore a similar approach using Apache, although I’m not well
versed enough to advise you conclusively.

You can check a blog post I wrote here:
https://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ - scroll down
to where it says “However, the biggest advantage, to me, seems to be the
ease of configuring strong SSL https security on Nginx.”

Here’s a guide to setting up SSL on Apache :

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

If you find you must install the certs on Java, then you have to ensure you
install each cert in the chain to the JVM that Lucee is using, and you must
repeat the installation every time you update the JVM.

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamediaOn Wed, May 25, 2016 at 10:06 AM, Stéphane MERLE <@Stephane_MERLE> wrote:

Le mercredi 25 mai 2016 10:02:55 UTC+2, Nando Breiter a écrit :

Stéphane,

I’ve seen all 4 of your posts.

?? unbelivable … I see only this one

Which web server are you using in front of Lucee (if any)?

I am using apache with mod_cfml

thanks for your help !

Stéphane

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 9:38 AM, Stéphane MERLE stephan...@gmail.com wrote:

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode : Connection
Failure. Status code unavailable. header :” over a https connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts |
openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect
plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform PEM >
plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file ./
plateforme.flinteractive.fr.pem -alias flinteractive -storepass
changeit -noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file and
imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee group


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

Oh … ok. Well now I understand …

Not that helpful, but I see the same error on Lucee 5. All I can suggest
is to make sure you are installing the certs to the same JVM location that
Lucee is running on.

how can I make sure of it ?Le mercredi 25 mai 2016 14:39:56 UTC+2, Nando Breiter a écrit :

[image: Inline image 1]

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 1:44 PM, Stéphane MERLE <stephan...@gmail.com <javascript:>> wrote:

Nando, we agree that my problem is with cfhttp calling external https
domain that I do not manage ? (plateforme.flinteractive.fr)

not with any kind of certificats to install to have my domain to respond
in httpS …

Stéphane

Le mercredi 25 mai 2016 10:29:09 UTC+2, Nando Breiter a écrit :

What I’ve done is to use a reverse proxy setup on Nginx in front of
Lucee server, and installed the ssl certs on Nginx rather than on
Lucee-Tomcat-Java. The configuration for that is simple and painless.

You might explore a similar approach using Apache, although I’m not well
versed enough to advise you conclusively.

You can check a blog post I wrote here:
https://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ - scroll
down to where it says “However, the biggest advantage, to me, seems to be
the ease of configuring strong SSL https security on Nginx.”

Here’s a guide to setting up SSL on Apache :

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

If you find you must install the certs on Java, then you have to ensure
you install each cert in the chain to the JVM that Lucee is using, and you
must repeat the installation every time you update the JVM.

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 10:06 AM, Stéphane MERLE stephan...@gmail.com wrote:

Le mercredi 25 mai 2016 10:02:55 UTC+2, Nando Breiter a écrit :

Stéphane,

I’ve seen all 4 of your posts.

?? unbelivable … I see only this one

Which web server are you using in front of Lucee (if any)?

I am using apache with mod_cfml

thanks for your help !

Stéphane

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 9:38 AM, Stéphane MERLE stephan...@gmail.com wrote:

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode :
Connection Failure. Status code unavailable. header :” over a https
connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts
| openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect
plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform
PEM >plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file ./
plateforme.flinteractive.fr.pem -alias flinteractive -storepass
changeit -noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file
and imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee
group …


Love Lucee? Become a supporter and be part of the Lucee project
today! - http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today!


You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com
https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

Hi Stéphane,

I just dealt with this on a Lucee 5 server and the admin import did not work for me either. In Lucee’s defense on that, I might be having some other issues with openssl, so it may not be Lucee’s fault.

WHat I did to get around it was add the crt the old fashioned way, which is basically what you were trying to do in your original post. I used openSSL to grab the cert from the site, copied and pasted the crt part into a file, then imported the cert in to the local jvm’s keystore. This fixed my issue.

If you did a standard Lucee 5 installer build, then your command would look something like this:

$ cd /opt/lucee/jdk/jre
$ sudo ./bin/keytool -import -alias yoursite.viviotech.net -keystore ./jre/lib/security/cacerts -trustcacerts -file /path/to/yoursite.viviotech.net.crt

Hope this helps.–
Kind regards,
Jordan Michaels
Vivio Technologies

----- Original Message -----
From: “Stéphane MERLE” <@Stephane_MERLE>
To: “Lucee” lucee@googlegroups.com
Sent: Thursday, May 26, 2016 7:33:09 AM
Subject: Re: [Lucee] cfhttp and https Could not obtain server certificate chain (4th post)

Le mercredi 25 mai 2016 14:39:56 UTC+2, Nando Breiter a écrit :

Oh … ok. Well now I understand …

Not that helpful, but I see the same error on Lucee 5. All I can suggest
is to make sure you are installing the certs to the same JVM location that
Lucee is running on.

how can I make sure of it ?

[image: Inline image 1]

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 1:44 PM, Stéphane MERLE <stephan...@gmail.com <javascript:>> wrote:

Nando, we agree that my problem is with cfhttp calling external https
domain that I do not manage ? (plateforme.flinteractive.fr)

not with any kind of certificats to install to have my domain to respond
in httpS …

Stéphane

Le mercredi 25 mai 2016 10:29:09 UTC+2, Nando Breiter a écrit :

What I’ve done is to use a reverse proxy setup on Nginx in front of
Lucee server, and installed the ssl certs on Nginx rather than on
Lucee-Tomcat-Java. The configuration for that is simple and painless.

You might explore a similar approach using Apache, although I’m not well
versed enough to advise you conclusively.

You can check a blog post I wrote here:
https://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ - scroll
down to where it says “However, the biggest advantage, to me, seems to be
the ease of configuring strong SSL https security on Nginx.”

Here’s a guide to setting up SSL on Apache :

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

If you find you must install the certs on Java, then you have to ensure
you install each cert in the chain to the JVM that Lucee is using, and you
must repeat the installation every time you update the JVM.

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 10:06 AM, Stéphane MERLE stephan...@gmail.com wrote:

Le mercredi 25 mai 2016 10:02:55 UTC+2, Nando Breiter a écrit :

Stéphane,

I’ve seen all 4 of your posts.

?? unbelivable … I see only this one

Which web server are you using in front of Lucee (if any)?

I am using apache with mod_cfml

thanks for your help !

Stéphane

Aria Media Sagl
+41 (0)76 303 4477 cell
skype: ariamedia

On Wed, May 25, 2016 at 9:38 AM, Stéphane MERLE stephan...@gmail.com wrote:

Hi,

destination : plateforme.flinteractive.fr

I am again confronted with a “Connection Failure statuscode :
Connection Failure. Status code unavailable. header :” over a https
connexion.

I did first try to use the add certificate from within the lucee
administrator with no luck : “Could not obtain server certificate chain”

I then try to add it with the comand line :
openssl s_client -connect plateforme.flinteractive.fr:443 -showcerts
| openssl x509 -outform PEM >destination.crt
but add an error “verify error:num=20:unable to get local issuer
certificate”

Then I downloaded the CA.crt file directly from STARTCOM : wget
https://www.startssl.com/certs/ca.crt

and tried again with :
mv ca.crt ca.pem
openssl s_client -CAfile ca.pem -connect
plateforme.flinteractive.fr:443 -showcerts | openssl x509 -outform
PEM >plateforme.flinteractive.fr.pem

and then :
/opt/lucee/jdk/jre/bin/keytool -import -keystore
/opt/lucee/jdk/jre/jre/lib/security/cacerts -file ./
plateforme.flinteractive.fr.pem -alias flinteractive -storepass
changeit -noprompt
service lucee_ctl restart

but then it is still not working …

I also tried to join the 2 certificates (CA and final) in one file
and imported it with success but still not working …

Is there a solution ???

Thanks for your help !

Stéphane
ps : this is my 4th post, none of the 3 first show up in the lucee
group …


Love Lucee? Become a supporter and be part of the Lucee project
today! - http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com
https://groups.google.com/d/msgid/lucee/1a0f6070-a4e2-4aa7-ab5f-fae183d35f43%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today!


You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com
https://groups.google.com/d/msgid/lucee/6214184e-32e7-410f-8265-126c8c80c65f%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com
https://groups.google.com/d/msgid/lucee/73951dc2-d3bc-4cfb-9686-a94d737a6d6a%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/359dfb56-0a9b-4535-aa45-a4c7af565096%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

1 Like