I ran into an issue this week where Experian (the credit report provider) updated an SSL certificate in their UAT environment and it caused all cfhttp requests to throw an exception error:
I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have experienced this type of issue before with a vanilla ColdFusion install, but never with a Commandbox instance. Here’s how I fixed the issue:
-
I downloaded the root certificate in Chrome by navigating to the page and clicking on the “lock” icon in the address bar:
-
Click on “Connection is Secure” and then “Certificate is Valid”
-
Click on the Certification Path in the Certificate window that pops up and select the appropriate Certification Authority in the path. Click on “View Certificate”:
-
Click on “Details” and then “Copy to File…” to save the certificate to your hard drive.
-
Using the Certificate Export Wizard, export the certificate as DER encoded binary (.CER). For this example, I saved it to my downloads folder. "C:\Users\DaveL\Downloads\stg1-ss6-experian-com.cer
-
Now navigate to the folder on your computer where you saved the file and change the extension from *.cer to *.crt.
-
Next, figure out where your Commandbox JVM is installed. Within Commandbox type:
repl 'createObject( "java", "java.lang.System" ).getProperty( "java.home" )'
Take note of the folder location. In my case, it was “C:\Program Files\commandbox\jre”. -
Now it’s time to add the key to the keystone. Navigate to the “bin” directory inside the JVM directory. In my case, it was “C:\Program Files\commandbox\jre\bin”. Type in the following command:
keytool -trustcacerts -keystore "[Your JVM Path]\lib\security\cacerts" -storepass changeit -importcert -alias [CertAlias] -file "[Absolute path to your .crt. file]"
Replace the brackets above with the appropriate paths for your system and .crt file. You should also give the new cert an alias. In my case it looked like this:
keytool -trustcacerts -keystore "C:\Program Files\commandbox\jre\lib\security\cacerts" -storepass changeit -importcert -alias experian -file "C:\Users\DaveL\Downloads\stg1-ss6-experian-com.crt"
If you’ve changed your keystore password, then you can also change that to whatever value you changed it to.
Once complete, restart your CF server via server restart
and you should be ready to rock!
Hopefully, this helps anyone that runs into this issue.