So I just "solved" an issue with a client of mine....
# cfml-generalt
Tim
06/13/2025, 7:44 PMSo I just "solved" an issue with a client of mine. They got a new certificate, and ColdFusion didn't like it. They'd get this error when the server tired to connect to itself.
I/O Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetThis was with the latest version of Oracle Java (11.0.27). We tried switching to Temurin 11.0.27.6, and then the connection was successful. Does anyone know what difference exists between the two that might have caused this? Since non-Oracle Java isn't something officially supported, I'm not a huge fan of this solution, and would love to get it working in Oracle Java too.
b
bdw429s
06/13/2025, 7:46 PMLikely related to the
cacertsbdw429s
06/13/2025, 7:47 PMYou'd have to provide more details about the cert in question, but that error means the CA which signed the cert isn't trusted
bdw429s
06/13/2025, 7:47 PMJava 11 is pretty old, so depending on when the build in question was created, it could have a pretty old list of CAs
d
dswitzer
06/13/2025, 7:47 PMThe cert you installed might be missing a chained cert too, which can cause issues.
b
bdw429s
06/13/2025, 7:47 PMA newer cert may have been signed by a newer CA which wasn't included in the old JRE's trust store
bdw429s
06/13/2025, 7:48 PMIt's true, you usually want to configure your server to use the cert chain, including any intermediate certs, but if the only difference between working/non-working was a JRE swap, then it would boil down to the CAs in the trust store of that JRE
t
Tim
06/13/2025, 7:48 PMit's not my cert -- it's theirs, so unfortunately I don't have more details. I was afraid that might be the answer.
b
bdw429s
06/13/2025, 7:49 PM(CA = Certificate Authority)
bdw429s
06/13/2025, 7:49 PMI mean, you can add whatever you want to your trust store
bdw429s
06/13/2025, 7:49 PMso use the JRE you want, and just trust the cert
t
Tim
06/13/2025, 7:49 PMFWIW, i was able to replicate it on CF2023 with 17.0.15, and CF2025 with 21.0.7 as well.
b
bdw429s
06/13/2025, 7:50 PMYou can find out for certain if you want. You'd need to look at the CA which signed the cert chain, then inspect the cacerts in question and see if that CA is present
t
Tim
06/13/2025, 7:50 PMsure.
b
bdw429s
06/13/2025, 7:50 PMOften times it's not worth the trouble and people just trust the cert and move on
t
Tim
06/13/2025, 7:50 PMI'll take a look.
b
bdw429s
06/13/2025, 7:51 PMI like
Porteclebdw429s
06/13/2025, 7:51 PMThe default password on most
cacertschangeitbdw429s
06/13/2025, 7:52 PMYou can also post the cert (public key only, NOT the private key) and the
cacertsbdw429s
06/13/2025, 7:52 PMIt's found in the
securitybdw429s
06/13/2025, 7:53 PMAlso, I assume you mean Adobe CF. It's worth noting all versions of Lucee up until Lucee 6 packaged their own cacerts file which was used by default instead of the JRE's
👍 1
t
Tim
06/13/2025, 8:11 PMYup. That appears to be the issue. And there's a bug filed to get it updated: https://bugs.openjdk.org/browse/JDK-8356452
q
quetwo
06/14/2025, 4:36 PMYeah, Sectigo has one of their CAs expire in 2026. So new certs are now being signed by it. That also means the intermediate certs need to be trusted/replaced as well
2 Views