Copy link to clipboard
Copied
I have this simple piece of test code.
<cfhttp url="https://10.104.106.113/index.html" port="4433">
<cfdump var="#cfhttp#">
As you can see I am just trying to make a simple http request over SSL to another web server. I just want to confirm connectedness at this time. Real coding will come later.
I am getting the dreaded peer not authorized error.
ErrorDetail I/O Exception: peer not authenticated
I understand that this usually means that one need to import a security certificate in the java cacerts keystore. But I did that some time ago, and there are other applications running that I beleive are using this connections, or at least did in times past.
Running this command on the server making the request I find the expected certificate in the keystore.
$ keytool -list -storepass changeit -noprompt -keystore ../lib/security/cacerts -alias winappdev01
winappdev01, Jun 22, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 0F:D5:BC:E0:AD:87:53:ED:C2:CD:2A:83:65:83:F3:DF
That is as far as I understand how to manage certificates. I have no idea how to test that certificate or in anyway validate it. Can anybody provide me some pointers on where to go from here?
Copy link to clipboard
Copied
More information.
I do not know why, but after I wrote the first message I was able to connect to the url in my browser. This did not work before.
Looking at the information of the certificate in the browser the MD5 hashes seem to match. Does that not mean the certifice is in the keystore?
Copy link to clipboard
Copied
Certificates contain a name (host and domain name, typically) and this name is compared to the URL requested. If they don't match, the certificate will not be honored by the client.
You're requesting a URL using an IP address, not a name. This will not work from a client that requires the name to be valid.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Copy link to clipboard
Copied
Actually, as one can see from the certificate shown by the browser in my second post, the common name IN the certificate IS the IP address.
And now, through no concious effort in my part, it is working properly. The only thing I can think of, is that the self signed certificate on the IIS server had expired as it has been some time since we last played with it. While stumbling around in the dark, I may have regenerated the certificate for some three years.
But I would really like to know more about managing these things so that I am not stumbling around in the dark!