Setting Admin Password via CFConfig seems to not be working

When using CommandBox, you don’t need to update the CF engine the old way again. You just tell CommandBox what engine version you want and it gets it for you.

server start cfengine=lucee@5.4.4

The engine version does not go in CFConfig. It goes in the server.json. Really, these are basic things covered in the docs. I would really recommend you step back and read through the “embedded server” sections of https://commandbox.ortusbooks.com/ and the CFconfig docs: https://cfconfig.ortusbooks.com/ and then see if things are making more sense.

All the things a server.json sets are documented here:

and all the things CFConfig canset are documented here:

Just a brief review of the documentation would have made this clear.

If it’s any consolation, the way CommandBox starts and stops a server is right on par with how CLI tools for other languages like PHP or Node would work. It’s not a monolithic single web server you install. It’s a tool that can start as many servers in as may directories running as many versions of CF as you like and they can all be managed independently.

That’s the interactive shell. It’s not a requirement to use Commandbox, it just makes things easier, especially for Windows users who don’t have bash.

That would be incorrect. A server is attached to the shell that started it as much as a milkshake is attached to the McDonalds drive through window. Which is to say, not at all. When you start a server with the server start command, whether you use the interactive shell or not, simply fires off a Java process that runs on your machine. This java server process is a separate Java process from the CLI itself and stays running regardless of what you do with the CLI process (such as exiting).

I’m not sure what would give you that impression as I said nothing of the sort. I even gave examples of the things each file controls.

Do “ports, CF engine, web root, and rewrites” sound the same as “datasources and mail servers”? I would hope not as those are different words that mean different things.

That’s not at all what I said. I’m not even sure where you’d get that idea from. A “server” involves a lot of moving parts. Each file controls a different aspect of the server as I explained. Adding a datasource connection to your data base is part of the “server” but a very different part than setting what port is bound to. Not even Adobe CF or Lucee configure those two things in the same place.

Again, a precursory review of the docs should be answering basic questions like this. I’ve already answered this in this very thread even. I want to help you here, but you’ve got to help us help you

Yes, if you put your datasources in your cfconfig.json file, then they will be loaded into the server every time it starts, which means

• first start ever
• update to new version
• after you forget the server

you always have all your config ready to go. One of the easiest ways to setup that JSON file is to add your settings manually to the CF admin and then export them to the JSON like so

cfconfig export .cfconfig.json

CFConfig is a powerful tool and can do a lot of things. Primarily it moves configuration from point A to point B where any point can be

• a JSON file
• a CommandBox server’s server home
• ANY CF server home even installed on Tomcat

So when you import a JSON file to a server, the settings are read from that JSON file stored in the XML files for that CF engine (Lucee/adobe). When you run a cfconfig set command, that one single setting is written to the XML files for that engine. if you export settings like I showed above, the settings are read FROM the engine’s XML files and written to a JSON file. There’s like a million ways you can use it so there’s many ways it can fit into a workflow.

CFConfig handles CF engine passwords. But there’s not just “one way” you can do it. You can

• do a one time set with cfconfig set
• do a manual import from a JSON file containing the password
• put a .cfconfig.json file with that exact name in the web root and it will get picked up automatically when you start the server
• set a cfconfig_adminPassword environment variable which will get picked up automatically when you start the server.

These all do a similar thing and the end of the day and you can pick which one meets your needs.

CFConfig. See the docs I linked above that show what CFConfig handles. Just running

cfconfig show

will show you a JSON representation of all the Coldfusion settings CFConfig “sees” in your server’s XML files.

This is not a valid command. You’re mixing what CFConfig does and what the server.json does. Again, please spend some more time in the docs. It covers all these use cases with examples.

OK, I am starting to understand, maybe?

server.json contains the parameters by which CommandBox will start up the Lucee server, like Lucee version, heap sizes (my nemesis) etc.

.CFConfig.json is what CommandBox will use to set the Lucee things that can be set within the web and server administrator pages … I think? Do I need to be exporting and saving this every time I make a change? Is it being saved somewhere else, instead?

Your item about the .env for the password is really confusing to me, however.

Would it be too much to just ask: in a straightforward way, how do I set the Web and Server Administrator passwords with CommandBox? Does it have to be with this .env method? Can’t it be done with CFConfig? What do I need to do to make those passwords “sticky” so they’re retained in future server restarts? I’m sorry, this is really just kind of at the core of where I’m having a lot of set-up trouble, here. It’s a very “blocking” issue and I feel like we’re dancing around it but not just really directly addressing it.

Unless, of course, the method you just gave above is sort of how to do it? But that also isn’t quite clear to me, tangibly. Would I need to export the .CFConfig.json, then open it and manually add this environmental variable, then close it and save it in the webroot, and then make the .env file? Would that also go in the webroot? Also: I really super do not like the idea of storing raw passwords in the webroot? That seems weird? Or is it not?

Again, lots of dancing around, and I know we keep wanting to point to the documentation, but I’m sorry: it’s just not there. I’m sure if I understood the documentation and the interaction of CFConfig and CommandBox better I might be able to derive the method, but I’m not there yet. Right now, there is no straightforward, clear tutorial on setting the web and server administrator passwords.

As you can probably guess, I am not a professional developer. I have no training in any coding language, ever; literally everything I know about CFML comes from self-teaching over the internet for the last 20+ years. I don’t know what PHP and Node are, so that’s where I really struggle. I’m sorry. I am sure it’s frustrating. Nobody is more frustrated than me. CFML isn’t my job, it’s my hobby. It’s an outlet of creative expression and writing my stupid little web app might seem dumb and trivial for most people but it means a great deal to me. I know CFML is niche. I know what a bad situation this is for me. I don’t care to learn about Node, and that doesn’t mean your program is stupid or I’m dumb or anything. I’m just saying this to level-set on what my capabilities and understanding are.

I am asking questions and I can clearly sense your exasperation about them, but frankly I have done a “quick review” of the documentation. It’s actually been more than quick. I’ve spent a lot of time in them and – this is the thing – I don’t understand them because that’s not how I’ve learned CFML over the years. You’re speaking to me like I am exhibiting intentional negligence and hostility to your work. Honestly, it’s because I don’t and can’t understand your work. Many times I don’t understand what you or your documentation are saying. I am trying to understand! But the way you talk about these things as though they are “common sense” and it can be solved if you “just read the docs” … there’s a disconnect, here.

Look, I get that this is a barrier somewhat unique to me and my circumstances. I am trying to do the best I can in this world, trying to speak to my frustrations and questions in a way that is best understandable to people who actually are smart and talented and who make this their careers and passions.

But I am a hobbyist. My ability to do anything lives and dies by the simplest possible explanations that I can find on the internet and understand. For some people, that’s how they learn.

I have only been able to code in CFML for 20+ years because of the generosity and helping spirit of people who were willing to put up with dumb, uneducated amateurs like me, who asks weird dumb questions that don’t make sense. I wish I could help others the same way. But all of us have teachers, and few of us learn from reading a book alone. We all need teachers, at some point. I appreciate you all being teachers.

So, I appreciate the help. I really do. Genuinely. Seriously. I’ve relied on help my entire code-hobby life. But could we please lay off the insinuation that I’m just trying to tick everybody off, here? I’m trying my best.

Correct.

Correct.

Yes, if you want that setting to always be present. Nothing requires you to use CFConfig with CommandBox servers, it’s just very very useful.

Well, when you save a datasource in the actual Lucee web admin UI, it’s saved to the XML files in the Lucee server home, but those go away if you forget the server or change server versions. That’s why we recommend using a tool like CFConfig to manage all of those outside the Lucee server admin so you don’t have to worry about what happens when a server disappears because you have all the building blocks in your config files to create the same server from scratch with a single start command. This is the same reason CommandBox is so useful for a team of developers running code locally, because every dev on the team gets the exact same server instantly by just cloning the Git repo and running “server start” and letting the config JSON files do their thing.

Then forget about env for now. It’s useful but another thing for you to learn. Just get familiar with how the servers work and then come back and start a new thread to ask about env.

We’ve given you about 5 different ways to do it in this thread? Are you asking for more ways to do it, or do you have a specific question about one of the several ways we’ve shown you?

CFConfig finds and uses environment variables whose names follow a special convention automatically. So any env var named cfconfig_something will automatically get picked up by CFConfdig when the server starts and will set the “something” setting into the server. So using .env isn’t an alternative to using CFConfig. It’s just one of the may ways you can get CFConfig to load settings for you. All the .env file does is load up ad-hoc environment variables into the server process for you which is commonplace in Docker and other cloud hosting setups.

Nothing, really. Once a password is written to Lucee’s XML files, it’s there forever. Now, if you change what version of Lucee you want CommandBox to start, it will download and extract it to a new server home with different XML files. This is where having it in the JSON or an env var will ensure it gets set every time.

I assume you’re asking about the ${blah} placeholders. Honestly, would have waited to drop that wrinkle on you since you’re having so much trouble with the basics, but those place holders are simply swapped out when CFConfig reads the JSON file with any env var of the same name. So, if you declare

myEnvVar=brad

in your .env file and you have a ${myEnvVar} placeholder in a JSON file, those get merged when the file is read.

You’re not wrong. CommandBox allows you to configure any or all of these files to be outside the web root. But again, I haven’t mentioned that because you’re already complaining about all the basic information not making sense I’m trying to not overload you. It’s worth noting the CommandBox web server will BLOCK all access to files starting with a dot as well as all the known JSON config files. However, if you put another proxy in front of CommandBox, all bets are off as Nginx may happily serve up your .cfconfig.json file to a user if they look for it, so that’s something you have to take into account. here’s docs on the lockdown rules:

I’m not sure why you’re still balking about this. You were able to set the admin password like 6 messages ago and log in. Why are you still saying it’s an issue? You can find answers for this

here CommandBox Password - dev - Lucee Dev
here Use CFConfig to set default password · Issue #22 · foundeo/ubuntu-nginx-lucee · GitHub
here Resetting Admin Password · Lucee
here Where should I put the /lucee-server/context/password.txt file?
and here https://www.petefreitag.com/blog/lucee-admin-password-box/

And that’s just the first page of Google results.

OK, let me just be really clear and really, really straightforward, then:

What is the CFConfig command that will set the server and web administrator passwords, permanently, for a Lucee server instance in CommandBox (lasting through machine restarts)?

I have been able to set the server administrator password with

cfconfig set adminPassword=mypassword

That does not work for the web administrator.

We’ve danced around this. I don’t know what it is. Can we please just say what it is. It’s almost 5 p.m. on a Friday.

I don’t think you’re being malicious at all, and I’m happy to help you. You also aren’t making it very easy to help either. We all get it can be frustrating, but focus on what parts you need explained. You’ve made your point about 100 times now that you find it confusing. Repeating that point every post isn’t going to help. Grant offered to hop on Zoom with you earlier and provide you with free in-person support. I would have taken him up on that if I were you.

To set it for the web admin, you would run

cfconfig set adminPassword=myPassword toFormat=luceeWeb

It’s also worth noting that when CFConfig picks up a JSON file or an env var on server startup for an admin password, it will also set that password automatically into your web admin if there has not been one set there. This is to prevent your webadmin getting left in an insecure state.

Thank you. That was all I needed. Note that there are five (5) references to “toFormat=luceeWeb” on Google. Just five. All of them refer to importing .json files into the configuration.

That’s why I was struggling.

This was hard – not easy – to find.

Thank you for your help and patience. I’ll continue forward with configuration and see what I can do and learn. My next steps are setting up datasources and then seeing how the server functions in this new environment. Wish me luck.