cfhttp: Connection Failure with SSL

Over at the CE Corral we ran into an issue with cfhttp (on ColdFusion 10) when fetching pages over SSL from our front end client sites: the dreaded "Connection Failure" message.

Casting about on stackoverflow for a bit, we found a post detailing a quick hack-around...

<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset storeProvider = objSecurity.getProvider("JsafeJCE") />
<cfset objSecurity.removeProvider("JsafeJCE") />

...which looked pretty sweet (not to mention super simple), but unfortunately it didn't work for us.

Next up (okay, if I'm being honest, I found this post first, and looked around for something easier... oh, well :D), we found this post about importing a site's ssl cert to ColdFusion, which did work.

So, first things first and all that there, you should probably grab the site's cert. You can do that various ways, including openssl, e.g.

openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

...and pipe it out to wherever you like, but you can also use Firefox (which is at 38.0.1 as of this post, so the directions below might vary a bit if you're using a later version) to grab it.

Just navigate to a page on the site that uses ssl, click the green lock icon on the left of the address bar, then 'More Information...', go to the 'Security' tab and click the 'View Certificate' button. In the resulting dialog go to the 'Details' tab and then click the 'Export...' button...

Export Certificate dialog

...and save the cert wherever you like.

Next, locate the keytool utility and cacerts file for your Java installation on your cf server. For our setup (a Windows box), these were found at C:\ColdFusion10\jre\bin\keytool.exe and C:\ColdFusion10\jre\lib\security\cacerts.

Per the stack overflow post, the general form of the keytool invocation is as follows...

keytool -import -v -alias [your cert alias name] -file [path to cert file] -keystore cacerts -storepass changeit

...so given the locations above...

C:\ColdFusion10\jre\bin\keytool.exe -import -v -alias ourcert -file C:\Users\Administrator.ASDFQWERTY\Desktop\ourcert -keystore C:\ColdFusion10\jre\lib\security\cacerts -storepass changeit

Finally, opening a terminal/PowerShell/etc. window and entering in the above should get you something like...

keytool import

...and that should be it!