http://coldfusion.com logo
Join Slack
Powered by
My server.json has this: ```"ssl":{ "host":"api....
# box-products
d
My server.json has this:
Copy code
"ssl":{
  "host":"api.domain.app.test",
  "port":"8080",
  "enable":true,
  "sslcert":"/etc/apache2/ssl/domain.app.test.crt",
  "sslkey":"/etc/apache2/ssl/domain.app.test.key",
  "sslkeypass":""
}
The domain.app.test cert is config’d to accept *.domain.app.test and domain.app.test. It was working before the Commandbox upgrade (I was previously on 5.4.2), now on 5.6.1
r
I can confirm that mine still works in 5.6.1 but I'm not specifying the 
host
, since it's a wildcard cert, or the 
sslkeypass
.
d
Mine is just a locally generated self signed cert - i normally get a warning in chrome that i can ignore. But this isn't even using the correct cert.
b
@davla There were lots of changes in that part of the code with the addition of client cert auth, but your certs should still work the same. I even tested with custom certs of my own like you showed.
Can you provide me with a DM with the full console output of a 
--trace
start?
Or you can also just read through the console output yourself-- there's tons of logs in there that talk through what the SSL context is doing
d
Yes, I’ll run it with the console - I’m going to a server forget so I have a fresh start.
Ok, so I have now removed all of my local commandbox servers. I have created a new crt and key file for a different local domain (e.g. myapi.test). The crt has been added to my trusted certificates (via Keychain). I have the following in server.json:
Copy code
{
  "force": true,
  "trace": true,
  "console": true,
  "web": {
    "host": "myapi.test",
    "http": {
      "host": "localhost",
      "port": "60025",
      "enable": true
    },
    "ssl": {
      "host": "myapi.test",
      "port": "8080",
      "enable": true,
      "sslcert": "/Users/support/Documents/SSL/myapi.test.crt",
      "sslkey": "/Users/support/Documents/SSL/myapi.test.key",
      "sslkeypass": ""
    },
    "rewrites": {
      "enable": true,
      "config": "WEB-INF/urlrewrite.xml"
    },
    "webroot": ""
  },
  "app": {
    "cfengine": "lucee@5.3.9.141"
  },
  "name": "myapi"
}
server start
results in the SSL cert error in the browser and it is still loading the Ortus localhost SSL. From the logging in the console I think this line points to a possible problem:
Copy code
[TRACE] io.undertow.request: Opened connection with /127.0.0.1:51370
[TRACE] io.undertow.request: Opened HTTP/2 connection with /127.0.0.1:51370
[DEBUG] io.undertow.request: UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
When I upgraded commandbox (via homebrew: brew commandbox upgrade) should I have also upgraded anything else? Java for example? Should I go back to box 5.4.2?
b
That's a start, but it's not the full info I asked for 🙂
I need to see the full, entire, complete, unadulterated console logs
The error above I think is just complaining because the server cert is the self signed one
d
I’ll put the console log in a file and DM it to?
b
Actually, looking a bit closer, isn't the correct name of those args • 
web.ssl.certFile
web.ssl.keyFile
?
Are you sure that is the same 
server.json
you used on the previous version?
I’ll put the console log in a file and DM it to?
That is what I asked originally 😉 https://cfml.slack.com/archives/C06TSRXCJ/p1663164637943929?thread_ts=1663157074.042199&cid=C06TSRXCJ
But based on my previous message, I think this is just a simple case of your settings being wrong, and therefore ignored.
d
That would be the most likely scenario!
b
Did you create a fresh server.json after upgrading with new settings?
Because it sounded like you just upgraded an existing server and re-used the same settings that had previously been working
d
Used the same server.json from previous.
b
Hmm, those setting names haven't changed in 6 years according to my Git blame 🤔
d
Let me change those settings - I bet they were always the problem and the Ortus cert has always been working - without me noticing and then Chrome is now blocking it properly.
b
@davla I know what probably happened. The old Ortus self signed cert expired this year so I re-generated a fresh one good for 10 more years. You likely had added the previous one to your trust store but the new one wasn't trusted.
d
Kaboom! Amazing what happens when you change to the correct config settings! certFile and keyFile did the trick - well spotted. Have been staring at the ’box docs ssl and hadn’t spotted my error.
Everyone stand down - commandbox is still awesome - shame it can’t fix the person in front of the screen! Thanks for the help!
3 Views
Open in Slack
PreviousNext
Powered by