Issues with extension.lucee.org, breaking local Lucee installs

Hi everyone,
I hope this is the right section for this.

In our company, we use locally running Lucee containers in Docker Desktop for development on the local machine. The Lucee version is 5.3.9.173 (yes, not really up-to-date). This has generally been working fine for about a year now.

But starting today, all of us suddenly had trouble using the Websocket extension which is relied upon heavily in our projects.
Checking in the Lucee administrator, it turned out the Websocket extension was no longer installed and not available for installation either, which is curious.
However, pulling the extension list from https://extension.lucee.org/rest/extension/provider/info with a desktop browser revealed that the Websocket extension should still be available. It (and many other extensions as well) just didn’t show up in the Lucee admin any more.
Issues also arised with the PostgreSQL extension:

So I dug deeper and noticed that Lucee couldn’t access the extension provider on extension.lucee.org any more. The exception message said “PKIX path building failed”, usually a problem with SSL certificate verification. I tested this with a small script, see screenshots.
The SSL certificate for this domain apparently has been renewed on 2023-11-11, that’s two days ago on Saturday. Probably none of my colleagues have been working over the weekend, so maybe the renewal’s got something to do with why it started acting up today. Or maybe it’s a red herring.
After we manually added the certificate for extension.lucee.org in the Lucee administrator (Services → SSL Certificates), that resolved the issue. The Websocket extension is working again and re-appeared in the extensions list in Lucee admin as well.
Database connections using the PostgreSQL extension are also working again.

That probably means that without further preparation, our production Lucee installs will display the same symptoms, once they are restarted.

As far as I can tell from a quick search on https://crt.sh, the current and the previous server certificate are pretty much identical. And web browsers as well as openssl or Qualys’s SSL test don’t report any errors.
Also, it’s not an issue with Let’s Encrypt (CA) certificates in general. Lucee has no problems with other sites with LE certificates like https://letsencrypt.org.
Date and time are also set correctly in the containers.
Currently I’m a bit stumped as to why extension.lucee.org can’t be verified but ‘letsencrypt.org’ and others can.

But my main questions are:

  1. Is it intended behaviour that extensions simply stop working just because the extension provider URL happens to be unreachable or its certificate can’t be verified?
  2. Has anyone else experienced this issue with extension.lucee.org (or with the extensions list in Lucee admin after a restart) in the past few days?

Thanks!

image

Are you by any chance on Lucee 4.5 or on a lower version? I ask because I can see that the code fails on Lucee 4.5.

I tested the following version of your code on trycf.com, using

  • Lucee 4.5 LATEST
  • Lucee 5 LATEST
  • Lucee 6 Beta
<cfscript>

uri="https://extension.lucee.org/rest/extension/provider/info";

cfhttp (url="#uri#", result="localHttp1", timeout="20") {
	cfhttpparam( type="header", name="accept", value="application/json");
};
dump(var=localHttp1, label="localHttp1");

http url="#uri#" result="localHttp2" timeout="20" {
	httpparam type="header" name="accept" value="application/json";
};
dump(var=localHttp2, label="localHttp2");

</cfscript>

As you can see, the code works on Lucee 5 and Lucee 6. But it fails on Lucee 4.5, with errors “Unknown host: peer not authenticated” / “Connection Failure”.

1 Like

Hey, thanks for taking the time. But as I wrote at the beginning of my post, we’re on version 5.3.9.173, so not really up-to-date but also not ancient :slight_smile:

I have yet to find the time to investigate this issue further. But as no one else has chimed in so far, I assume it has something to do with our environment.
The Docker image we’re basing our environment upon is lucee/lucee:5.3.9.173.

1 Like

i will look into t asap.

Can you please also provide the full stacktrace including all “caused by”

1 Like