PKIX path building failed to ForgeBox when attempting to install TestBox

Hello, I have having difficulty to download TestBox through my corporate firewall. I have extract the following from the commandbox log file

"ERROR","FILEAPPENDER","07/20/2022","21:51:37","commandbox.system.util.ForgeBox","Something other than JSON returned. GET https://www.forgebox.io/api/v1/entry/testbox Unknown host: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Connection Failure. Status code unavailable. Actual HTTP Response: Connection Failure"
"ERROR","FILEAPPENDER","07/20/2022","21:51:37","commandbox.system.Shell","No satisfying version found for [stable]. Well, we tried as hard as we can.  forgebox can't find the package and you don't have a usable version in your local artifacts cache.  Please try another version."

So far I have used Chrome to download the certificate. I changed the extension from a .cer to a .crt. I have used Java keytool to insert it into the cacerts keystore of the CommandBox jre and my main JAVA_HOME, So far with no luck.

The commandbox JRE was determined by typing this into the CommandBox I recently installed.
repl 'createObject( "java", "java.lang.System" ).getProperty( "java.home" )'

It is under [path-to-commandbox]\commandbox-5.5.2\jre.
I am a Windows 10 user BTW.

Any suggestions would be much appreciated.

This happens when your IT people decide to spoof on your SSL traffic by forcing a man-in-the middle attack at the firewall to stick fake certs into your HTTPS traffic. Your browser works because they’ve loaded their own custom CAs into your Windows store. Lucee has it’s own trust store so you need to add the certs to (it won’t work just to add it to the JREs). And doing so is actually really easy. just run the following from the command line:

#sslcertificateinstall forgebox.io

Then close the re-open the CLI and try again.

@bdw429s can we add this to the docs on an FAQ page please

I will gladly merge any pull request to do so

Thanks. That changed the symptom. This might just be due to timing. It did not error for certificate, but says the the service is down.

ERROR (5.5.2+00578)

503 Service UnavailableHTTPS://downloads.ortussolutions.com/ortussolutions/testbox/4.5.0/testbox-4.5.0.zip

Q: Clarification. Do we need to use the #sslcertificateinstall inside CommandBox as well as install the certificate in the JRE cacerts? Is there documentation for #sslcertificateinstall. I don’t see it when I am the shell prompt and type help.

So a 503 is progress because it means you actually contacted a server and got a reply. The question is whether that reply came from S3 or whether your firewall intercepted the traffic and is screwing with you. An easy way to debug the actual HTTP response headers is to just hit the URL from the REPL and see what you get.

CommandBox> repl "http url='HTTPS://downloads.ortussolutions.com/ortussolutions/testbox/4.5.0/testbox-4.5.0.zip'; echo(serializeJSON(cfhttp))"

No. And to be clear, #sslcertificateinstall isn’t installing anything “inside of CommandBox” per se-- it’s just asking Lucee to stick the cert in Lucee’s trust store. The JRE’s cacerts files is useless here and completely unused. Lucee overrides the JRE’s trust store with its own.

Is there documentation for #sslcertificateinstall

Yes, it’s just a normal every day Lucee function:

That’s because you’re looking for he wrong thing. Run help for that actual command

#sslcertificateinstall  ?

and you’ll see that # is just an shortcut for the cfml command, which DOES show up in the general command help. The cfml command is also explained here:

It’s basically just a shortcut to running any CFML function you want via the REPL.

#now
#hash mypassword
#sleep 2000
#sslcertificateinstall host.com

Are no different from running

repl now()
repl hash("mypassword")
repl sleep(2000)
repl sslcertificateinstall("host.com")

So the ability to install the SSL cert really isn’t even a CommandBox feature per se. It’s just a thing Lucee allows which you can easily access via CommandBox’s shortcuts for running CFML from the CLI.

The repl with echo dumped a jumble of stuff with mimetype application/zip. The status code captured in the repl is 200". From the browser with the https://download command, I actually got the zip file downloaded. (Yay!!! That’s something) Then I immediately tried the box> install testbox and got the 503 error again.

Here is the output from the repl, without the large dump that I think was the zip contents.

“responseheader”:{
“alt-svc”:“h3=":443"; ma=86400, h3-29=":443"; ma=86400”,
“Content-Length”:“1312206”,
“Date”:“Thu, 21 Jul 2022 16:57:49 GMT”,
“Server”:“cloudflare”,
“Report-To”:“{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rqDSMsp%2ByZY85cYbIWEAjbSZlLK2%2Fdopfz66LpIQpTGMvKxQfxV9zuPR5YzCg7MiLvHxv%2FZTDDY0JN%2FZaCvCkqSd0zIujeRWKdryrjba5leXSv4yTDSShnasHwCU%2FJE3Tlhua7o1jwPnJfF0vVE%3D"}],"group":"cf-nel","max_age":604800}”,
“Vary”:“Accept-Encoding”,
“etag”:“"1e82121402ff9f6fc7ab5f5fb7ae7d63"”,
“CF-RAY”:“72e57a51190a57b5-IAD”,
“Expect-CT”:“max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\”“,
“NEL”:”{"success_fraction":0,"report_to":"cf-nel","max_age":604800}“,
“Accept-Ranges”:“bytes”,
“x-amz-cf-pop”:“IAD89-C1”,
“CF-Cache-Status”:“MISS”,
“via”:“1.1 f88487c9214731db4c82619c9183bf7a.cloudfront.net (CloudFront)”,
“status_code”:200,
“last-modified”:“Mon, 13 Dec 2021 23:49:52 GMT”,
“x-amz-cf-id”:”_2YViJ6661K-BVTuifFUQo_oWJqGJvQ_Ghb2Kcf1nooo1B4JCmhkiw==",
“Content-Type”:“application/zip”,
“Cache-Control”:“max-age=86400”,
“x-amz-version-id”:“8ksVNRaPfRgr1DrU0vPpC2ZevpkqyshE”,
“x-cache”:“Miss from cloudfront”,
“Connection”:“keep-alive”,
“explanation”:“OK”
},
“header”:“HTTP/1.1 200 OK Date: Thu, 21 Jul 2022 16:57:49 GMT Content-Type: application/zip Content-Length: 1312206 Connection: keep-alive last-modified: Mon, 13 Dec 2021 23:49:52 GMT x-amz-version-id: 8ksVNRaPfRgr1DrU0vPpC2ZevpkqyshE etag: "1e82121402ff9f6fc7ab5f5fb7ae7d63" x-cache: Miss from cloudfront via: 1.1 f88487c9214731db4c82619c9183bf7a.cloudfront.net (CloudFront) x-amz-cf-pop: IAD89-C1 x-amz-cf-id: _2YViJ6661K-BVTuifFUQo_oWJqGJvQ_Ghb2Kcf1nooo1B4JCmhkiw== Cache-Control: max-age=86400 CF-Cache-Status: MISS Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\” Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rqDSMsp%2ByZY85cYbIWEAjbSZlLK2%2Fdopfz66LpIQpTGMvKxQfxV9zuPR5YzCg7MiLvHxv%2FZTDDY0JN%2FZaCvCkqSd0zIujeRWKdryrjba5leXSv4yTDSShnasHwCU%2FJE3Tlhua7o1jwPnJfF0vVE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 72e57a51190a57b5-IAD alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 ",
“statuscode”:“200 OK”,
“status_code”:200,
“http_version”:“HTTP/1.1”,
“mimetype”:“application/zip”
}

That means it’s working. If the install command is failing, it’s probably failing on a different URL. Please run

install --verbose

and report the actual full output so we can tell what exactly is failing.

Well this feels like I am doing it wrong.

CommandBox> install --verbose testbox
 × | Installing package [forgebox:testbox]
   |----------------------------------------------------
   | Verifying package 'testbox' in forgebox, please wait...
   | Installing version [4.5.0+5].
   | Verified entry in forgebox: 'testbox'
   | Deferring to [https] endpoint for forgebox entry [testbox]...
   | Downloading [HTTPS://downloads.ortussolutions.com/ortussolutions/testbox/4.5.0/testbox-4.5.0.zip]
   |----------------------------------------------------


ERROR (5.5.2+00578)

503 Service UnavailableHTTPS://downloads.ortussolutions.com/ortussolutions/testbox/4.5.0/testbox-4.5.0.zip

The results in c:\users\Greg.commandbox\logs\commandbox.log also feel a bit underwhelming.

"INFO","FILEAPPENDER","07/21/2022","16:49:52","wirebox.system.cache.providers.CacheBoxProvider","Starting to reap CacheBoxProvider: METADATACACHE, id: 24404443"
"INFO","FILEAPPENDER","07/21/2022","16:49:52","wirebox.system.cache.providers.CacheBoxProvider","Finished reap in 2ms for CacheBoxProvider: METADATACACHE, id: 24404443"
"INFO","FILEAPPENDER","07/21/2022","16:59:10","wirebox.system.cache.providers.CacheBoxProvider","Reaping scheduled task started for default cache."
"INFO","FILEAPPENDER","07/21/2022","16:59:10","wirebox.system.cache.providers.CacheBoxProvider","CacheBox Cache: default has been initialized successfully for operation"
"INFO","FILEAPPENDER","07/21/2022","16:59:10","wirebox.system.cache.providers.CacheBoxProvider","Reaping scheduled task started for METADATACACHE cache."
"INFO","FILEAPPENDER","07/21/2022","16:59:10","wirebox.system.cache.providers.CacheBoxProvider","CacheBox Cache: METADATACACHE has been initialized successfully for operation"
"ERROR","FILEAPPENDER","07/21/2022","16:59:28","commandbox.system.Shell","503 Service Unavailable
HTTPS://downloads.ortussolutions.com/ortussolutions/testbox/4.5.0/testbox-4.5.0.zip"

Do you have an http proxy configured in CommandBox, because the result of the install command and the http command in the repl should be the same otherwise.

I don’t even know how I would apply a proxy to commandbox.

[Edit: Nobody said I can’t learn. I have since skimmed/read much of the commandbox documentation. Whew that’s a bunch. Rest assured my command box is an out-of-the-box (pun not intended) setup, that I primarily installed just to get testbox.]

I admit the status code 503 problem as presented is weird. I wondered if I was causing a problem by starting the box command from a cmd shell that I had Run as Administrator. I ran a regular cmd shell. I immediately got the PKIX certificate error again so applied the @sslcertificateinstall again. it worked past the certificate error and got me back to the 503 error. I have repeatedly tested and validated that the repl command as issued returns its own 200, plus whatever is in the header + payload. Running install textbox [–verbose] or install coldbox just gives me the 503. But If is use the URL for the given HTTPS://…zip, in a browser it does download the zip for me. That is something, so at least I can get some work done. I just thought that long term if I ever wanted to upgrade or guide others on my team that the commandbox instructions would have been the preferred way to go.

BTW: The work laptop I have been using does not a proxy registered in it basic internet options. The corporation I work for has configured our machines to “Automatically detect settings”. That is the box checked under LAN settings in Internet Options. It has been awhile since we have used a fixed proxy, or at lease one that I know of.

Typically when I have these kind of issues it has been a case where I have to install a certificate somewhere in Java cacerts or a Windows certificates trust. I do feel that we are past the certificate issue, but I have no idea what is going on now.

I’m inclined to say that if your browser needs a proxy, then CommandBox also needs that proxy. (And java has no such thing as auto-detect when it comes to proxies). However, the real puzzler is why the zip file would appear to download from the REPL but not from the install command. I’ve never seen a difference between those two.

I’d love to know what the body of the request is and the headers, but that’s what the REPL would supposed to show us.

Neither do I. If you’re around tomorrow, jump on CFML Slack or Box team Slack so we can chat in real time and I can have you test some things while I watch our logs in Cloudflare. That will at least tell me if your HTTPS requests are reaching out of your firewall. My current theory is they are getting responded to from a security appliance inside your corporate network. in fact, you may want to reach out to your IT admins and ask them if they can trace the request.