coldbox install via commandbox error - ForgeBox returned something other than JSON


I am trying to install coldbox using commandbox but am getting the following error:

CommandBox:coldbox> install coldbox

Installing package [forgebox:coldbox]
Verifying package ‘coldbox’ in ForgeBox, please wait…
Uh-oh, ForgeBox returned something other than JSON. Run “system-log | open” to see the full response.

408 Request Time-out

The error in the commandbox log is:
“ERROR”,“FILEAPPENDER”,“06/20/2016”,“14:02:08”,“commandbox.system.util.ForgeBox”,"Something other than JSON returned. GET
408 Request Time-out Actual HTTP Response: Connection Timeout"

We have a firewall but I have already set the proxy server and its port. Performing a upgrade command for commandbox seems to be ok, i.e.

CommandBox:coldbox> upgrade
Getting stable versioning information from
Your version of CommandBox (3.1.1+00383) is already current (3.1.1).

If I try to load this page from a browser, I get an HTML 404 error.
I have no problem with the ‘install coldbox’ command when I am not in the work office.

What could be wrong or what am I doing wrong?

Thanks in advance.

Check your proxy. For the URL you gave,, I get the expected JSON file that enumerates the available versions of coldbox.
I can’t remember the name of the proxyserver I use (infrequently) for debugging issues like this, but till you can make that connection, “nuttin gonna happen”, I’m thinking!

I think it might be due to this (as our organization uses Trend Micro):

HTTPS Certificate Failure
A problem was detected when accessing this web site. Access has been restricted due one of more of the following issues.

Event Details:

The Certificate Verification failed due to at least one of the following reasons:

  1. The certificate is not valid;
  2. The certificates CommonName does not match the URL
  3. The certificate was issued by an untrusted certificate authority.

When the above occurs, it redirects to another URL, and hence the error that what’s return isn’t JSON.
Brad, is there an option for us to use (i.e. with SSL), or to have a matching domain in the SSL certificate, or is SSL imperative?

Our network admins won’t make an exception for mismatched domain certificate. If there’s no other options for us, then I am afraid we won’t be able to use commandbox to automate installation, update and creation.


The certificate is valid and provided by cloudflare. I am not sure why it says that

Luis Majano
Ortus Solutions, Corp
P/F: 1-888-557-8057


Luis Majano
Ortus Solutions, Corp
P/F: 1-888-557-8057


It may be that your organization (or Trend Micro) needs to update their validation to accept multi-domain certificates. A verification of the URL in only the Common Name of the cert (see possibility #2), in this day and age is bound to fail with a fair number of providers besides Forgebox. They should be using the Common Name AND the Subject Alternative Names values from the cert.


Forgive me parachuting in here, not really in the loop, but the URL shows this for me:

400 Bad Request

The plain HTTP request was sent to HTTPS port


You can’t make an insecure request to port 443. (you have HTTP in the url instead of HTTPS)


I know cloudflare does another of management with SSL certificates and they recently added their own CA. or at least i remember reading about that on one of their recent blog posts.

Check this out Yieng to see if it will help resolve any issues. Sometimes if your upstream provider tries to modify or change the data it could cause handshaking to fail on SSL.

Thanks Luis. I will pass this info onto my network admin. Hopefully this issue is resolved soon.


Yes, that was my point :). I just clicked the URL in one of the messages on this thread, which fails for the reason you say, and as indicated in the server response I quoted. If that’s not the actual URL being used in this process, then it’s a non-issue, just didn’t want the obvious to go by un-examined.