Cfhttp error over SSL (unable to find valid certification path to requested target)

Hi,

We are running:

Version: Lucee 4.5.4.017 final
OS: Windows Server 2012 (6.2) 64bit
Servlet Container: Apache Tomcat/8.0.24
Java: 1.8.0_45 (Oracle Corporation) 64bit

I am getting an error that others have experienced when connecting to SSL hosts API’s using cfhttp.

The API is (credentials not revealed but will still give the same error as the URL with all query string paramaters):

https://ee.iva-api.com/Videos/GetVideo/

The specific error is:

“Unknown host: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”

When I check in the server lucee admin for SSL Certificates > host ee.iva-api.com > list I get the following:

Subject:

CN=developer.iva-api.com, OU=Domain Control Validated

Issuer

CN=Go Daddy Secure Certificate Authority - G2, OU=Repository, O=“GoDaddy.com, Inc.”, L=Scottsdale, ST=Arizona, C=US

Subject

CN=Go Daddy Secure Certificate Authority - G2, OU=Repository, O=“GoDaddy.com, Inc.”, L=Scottsdale, ST=Arizona, C=US

Issuer

CN=Go Daddy Root Certificate Authority - G2, O=“GoDaddy.com, Inc.”, L=Scottsdale, ST=Arizona, C=US

Usually that means the Lucee doesn’t like the SSL Certificate or Authority… This is usually with self signed sites etc.

You should be able to import the SSL into Lucee through the Server administrator.

Edit - Did you try importing it once in the Administrator? Can’t remember if a restart of lucee is needed or not after.

What I have noticed is the the certificate is for developer.iva-api.com and using SAN to allow multiple hosts on the cert. Is this a know in issues in the version of lucee/java we are running?

I think i’ve added it to my lucee dev, I added the developer.iva-api.com first, then I was able to add the ee.iva link. Otherwise it complained about chains…

@jedihomer because it listed the certificate chain when I did a “list” I presumed all was installed ok. If I do choose “install” then I return back the same page with the certificate list.

ok thanks. I’ll try that.

I believe, I may be totally wrong, that the list basically just tells you about the certificate you’ve entered into the host box.

Then install copies it locally as an allowed host. So that next time you CFHTTP it doesn’t complain because you’ve added the certificate.

Install seems to do “nothing” for either developer.iva-api.com or ee.iva-api.com

Maybe it’s the version of lucee you’re on…

On a Lucee (5.2) box here, that I haven’t imported any SSL when I use

<cfhttp url="https://ee.iva-api.com/Videos/GetVideo/">

<cfdump var="#cfhttp#">

I get a connection…

Yeah, So I pasted the code I used into trycfm.cfm with the engine set to Lucee 4.5 latest and I get a connection failure.

Set it to Lucee 5 Latest and it connects showing me the JSON.

So it will be something to do with the certs/CAs that are in Lucee 4.5 vs Lucee 5… Which is a little passed me. I had assumed that installed the certificate on the server would allow it then on 4.5. Have you tried restarting lucee (if you’re able) to see if it does need a restart to pick up the new SSL?

I’m not able to “install” a certificate at all through the lucee admin.

I’ll try to do an install using

Hope it goes well… I didn’t even know that function existed! :wink:

Hmmm, that dump returned string “”

The function returns void, so you wouldn’t see anything…

Which I think is what the admin interface is doing as well, there’s no OK/Success flag so you don’t get a confirmation it worked… I’d like to think it throws an exception if it didn’t work.

I’ve just run this on trycfm and it appeared to work…

<cfscript>
dump(SSLCertificateInstall("ee.iva-api.com"));
</cfscript>
<cfhttp url="https://ee.iva-api.com/Videos/GetVideo/">

<cfdump var="#cfhttp#">
1 Like

Yes, that worked! I just had to hit the script on all 3 of our load balanced servers.

Hope this helps someone in the future who cannot add certs through the lucee admin. :slight_smile: