CommandBox Coldfusion 11 SSL issue

Communities CommandBox CLI
1

Hi - Is there a difference between the Lucee (default server) SSL configuration and the adobe@11 cfengine?

I am unable to use a self-signed certificate with Coldfusion 11 in CommandBox, but following the exact same steps, it works with Lucee. I could not find much information about this in the documentation, so I’m hoping someone here can help steer me in the right direction.

These are the exact testing steps I performed in Terminal:

CommandBox 3.9.1+00823 on Mac OSX (10.12.6) - example host (webappsdev.mydomain.com) added to /etc/hosts file

Lucee
`
mkdir -p /temp/cert
cd /temp
echo “test” > index.cfm
openssl req -newkey rsa:2048 -nodes -keyout /temp/cert/key.pem -x509 -days 365 -out /temp/cert/certificate.pem
box server start SSLEnable=true SSLCertFile=/temp/cert/certificate.pem SSLKeyFile=/temp/cert/key.pem host=webappsdev.mydomain.com

SSL does not work the very first “server start”

box server stop
box server start SSLEnable=true SSLCertFile=/temp/cert/certificate.pem SSLKeyFile=/temp/cert/key.pem host=webappsdev.mydomain.com

Success

After certificate exception in web browser the “test” text is displayed

`

Coldfusion 11
`
mkdir -p /temp2/cert
cd /temp2
echo “test” > index.cfm
openssl req -newkey rsa:2048 -nodes -keyout /temp2/cert/key.pem -x509 -days 365 -out /temp2/cert/certificate.pem
box server start cfengine=adobe@11 SSLEnable=true SSLCertFile=/temp2/cert/certificate.pem SSLKeyFile=/temp2/cert/key.pem host=webappsdev.mydomain.com

SSL does not work the very first “server start”

box server stop
box server start cfengine=adobe@11 SSLEnable=true SSLCertFile=/temp2/cert/certificate.pem SSLKeyFile=/temp2/cert/key.pem host=webappsdev.mydomain.com

Error

`

The web browsers display the following error messages, with no option for certification exceptions:

Chrome

This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR

Firefox

2

Yes there is a difference but I don’t quite understand what it is. I just have to set the following JVM arg to get SSL to work on Adobe servers.

server.json

“jvm”:{
“args”:"-Dcom.sun.net.ssl.enableECC=false"
}

Thanks!

~Brad

ColdBox/CommandBox Developer Advocate
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

3

I updated my server.json and it resolved my problem. Thanks Brad!!

4

Glad to hear it’s working. I’ve tried to research WHY it happens and what the real fix is, but when I search for that JVM arg, all I find are people getting the same errors and the answers always just say “use this JVM arg and it will work”. Sort of frustrating, but I guess that’s the internet for you.

Thanks!

~Brad

ColdBox/CommandBox Developer Advocate
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

5

This might be a dumb question but you’re using OpenSSL to generate the key, does OpenSSL need to be installed or configured for CB to handle SSL or will Undertow do that automatically if we give it the cert/key etc?

6

So far as I know, OpenSSL was only needed to generate the original cert. Once the cert was generated and plugged into the server, Undertow did the rest.

Thanks!

~Brad

ColdBox/CommandBox Developer Advocate
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com