(ISSUE FIXED) This is a new error that I've never seen before. siteA.mydomain.com is making a cfhttp request to siteB.mydomain.com This is the cfdump of the cfhttp result.

siteA is missing some algorithm it needs to decrypt siteB's response. you can check what you've got with https://www.ssllabs.com/ssltest/index.html

So it has to be similar to this error: `

unable to find valid certification path to requested target

sure, missing some authority somewhere along the hierarchy

Ok so for that issue I use the keytool to add my cert to the JRE cacerts file. And that fixes it. I just did the same to siteA and it worked. Makes sense since this Saturday I replace a CF server with a Commandbox managed CF server and I used the JRE that comes with Commandbox.

sorry i'm not, but even so i'm the last person you'd want to talk devops with 😉

ok cool. thanks for your help here.

np

@Daniel Mejia, Have you solved the issue? I ask because I see "ISSUE FIXED" at the start. If you are still looking for ideas, then I will say: (1) your idea of importing the right certificates to the truststore, using the

keytool

tool, is good. For example, to import a certificate in ColdFusion on Windows you would have done something like:

keytool -import -v -alias myServerCert -file myServerCertFile.cer -keystore {HOME_DIR_OF_JAVA_ON_WHICH_CF_RUNS}\lib\security\cacerts -storepass changeit

(2) if SSLLABS told you that your server uses TLS 1.x, then add the following flags to java.args in ColdFusion's _jvm.config_:

-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Dhttps.protocols=TLSv1.2,TLSv1.3

Yes I have. I used the keytool to add my cert to the JRE cacerts file.

which cert did you install?

umm...the one with the extension .pem

not familiar with globalsign, this is a long term cert?

reissued every year

i see, so you installed globalsign's CA cert?

idk what that means

so my understanding is if you just installed your cert, then it'll be good until it expires