June 2015

Gavin Pickin

How to solve CFHTTP SSL issues with CFML Engines like Railo and Lucee

CFML Language, Lucee, Migrating to Railo, OpenSSL, Server Admin, Techie Gotchas

There was a lot of noise about CFHTTP not working when was planning on updating their SSLs in May this year. Will Genovese, one of the good people at CF WebTools, posted ‘ColdFusion 8 & 9 CFHTTP still works with’  about early testing and confirmed that ColdFusion 8 and 9, and even some of their customers using 7 had this working. Of course, just the other day, some of my customers, running on Railo / Lucee started to see some issues. This is how I solved those problems.

If you have dealt with SSLs in ColdFusion before, you know its a pain in the butt, dealing with the key tool, importing into the right keystone. If you are using ColdFusion, you might not know that there is a great CF Admin extension, called Cert Manager which makes life easy. It gives you a simple UI to see all the certs, and makes working with them easy.
CertMan from RiaForge -

If you are on Railo / Lucee, you’ll know they have a really slick SSL Certificates page. You can put in the domain name of the Cert you need, and it will go out to the inter webs, and suck down the Cert for you. When I tried to do this with cert, Railo just times out eventually.

The problem is… if there is an issue with something up the chain… then how do you fix it? You have to go back to the Keytool and the Keystore.
Its not hard to actually add a key to the keystore, but where is the keystore, which key do you need, and how do you find it?

I use SSL Shopper’s SSL checker tool for all my SSL testing, it makes sure the chain is complete, and gives you a good number of details at the same time. Using this tool in the past, I debugged some strange browser issues, some that complain about certs, while others wouldn’t. This tool helped me identify which certs needed corrections, and I could easily fix them.

I have more information in previous posts located here: ‘Techie Gotcha - SSL Certificate Problems with Apache and Issuer Chains” 

Using this tool, I knew which certs to download and from who.

Since the SSL Chain are all Entrust SSLs, I downloaded them from their website, here: Entrust's Website
This was left in the comments of the post from Wil, which made it even easier to find. I downloaded all of the certs in the chain, but most of them were already in the keystone, so I’ll save you the headache.

Download the entrust_ec1_ca.cer

Once you have that, and its on your server, you need to locate your keystore.
For Railo, it seemed like it was in {railo}/jke/jre/lib/security/cacerts
Depending on your install, it might be elsewhere, but if you can find your JRE folder, its usually relative to that in lib/security/cacerts

When you run the command below, it will ask you for the password, if you haven’t changed it, the password will be ‘changeit’, so you should probably do that sometime soon.

Run the command (on CentOS i needed to be root since root owned the files)
keytool -import -keystore /pathto/railo/jdk/jre/lib/security/cacerts -alias entrustec1ca -file /path/to/your/cert/entrust_ec1_ca.cer

  1. Enter your password when prompted
  2. Confirm yes, you want to trust this cert, and it will be added to the keystore.
  3. Once added, you can return to Railo Admin, and try to get the SSL cert again, and this time, you should see it will not time out, and it will show something like this.


Again thanks to Will Genovese’s post at: which got me started on the right path.

Hope this helps anyone else out there battling this issue.

Blog Search