I'm looking to scrape data off a website, other https sites work and this was working last week but now fails
<cfhttp url="https://www.cliftoncameras.co.uk/all-brands-and-types-of-used-cameras/"></cfhttp>
If I run a dump of cfhttp
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I have tried running with the latest JRE version 12 - no change
https://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html
Reverted back to CF original JRE, downloaded the target SSL certificate and installed it using the keytool - no change
c:\ColdFusion2018\jre\bin\keytool -import -keystore cacerts -alias
cliftoncameras -file
c:\ColdFusion2018\jre\lib\security\cliftoncameras.cer
I changed the websocket in the CFAdmin to proxy - no change
I did restart the CF Application Server each time.
What else can I do?
I have also seen this java.security.cert.CertPathBuilderException error before from Java and Coldfusion on sites that load ok in a regular browser, but which still error from cfhttp even after adding the certificate to the CF keystore and restarting.
This happens when the target site server certificate configuration has a trust chain issue - when one or more trust chain paths requires the browser to perform an "extra download" of a certificate. This can be because of a missing intermediate certificate in a single trust chain path, or because there are multiple branches in the trust chain with different fingerprints and one or more certificates from one or more of those branches is not being served.
If you run the target site through an SSL Analyzer like ssllabs.com - eg
https://globalsign.ssllabs.com/analyze.html?d=www.cliftoncameras.co.uk&hideResults=on - you'll see that their intermediate certificate Starfield Secure Certificate Authority - G2 is not being served by their server, which forces the client to do an "extra download" - which won't be a problem for most proper browsers, but the Java client used by cfhttp needs the server to provide pretty much every intermediate and root cert directly. It used to be the same for most mobile OSs up until a few years ago.
So the ideal solution is to contact cliftoncameras and have their server admin install the correct Starfield Intermediate certificate so that it is served correctly.
A possible workaround on your side is to install the Starfield Secure Certificate Authority - G2 intermediate certificate in your CF keystore.
On my development platform I added
-Dcom.sun.security.enableAIAcaIssuers=true
To the java.args in the file in ColdFusion2018\cfusion\bin\jvm.config
Then restarted the CF Application Server, and now my CFHTTP call is successful.
Thanks to #agreax for this solution
Thanks to #sevroberts who's answer was probably the correct one, even though I couldn't get it to work. The production host installed the SSL certificate to the keystore and successfully resolved it this way. They said:
If you use FireFox browser and click on the lock icon when browsing the URL you are wanting to have the cfhttp request access you can then get the more info and click the View Certificate option.
You will need to download the PEM (cert) not the Chain. Once downloaded, you need to run the keytool in order to import it to the keystore.
If you are using the default JRE within your JVM for ColdFusion you will need to install a JDK to your development machine.
You can see the details and steps we have listed on our wiki regarding the commands from the command prompt to import the SSL into the store.
https://wiki.hostek.com/ColdFusion_Tips_%26_Tricks#Fixing_cfhttp_Connection_Failures_with_Keytool
Thanks to #alexbaban his workaround, whilst it worked, it was a solution I could not implement due to requiring the use of the tag cfexecute.
If you can not get the keystore thing working maybe you'll want to try this.
Create a dedicated command line executable (.exe) which will read the web page and save the source to a text file. You can then use ColdFusion to read the file and work with the data.
Here is the ColdFusion code:
<cfscript>
_execPath = "c:/bin/clifton.exe";
_filePath = "c:/bin/clifton.txt";
// run your command-line app (clifton.exe)
cfexecute(name="#_execPath#");
// wait for the file
do {
sleep(100);
} while ( not fileExists(_filePath) )
// wait for write to finish
do {
sleep(100);
_fileInfo = getFileInfo(_filePath);
writeOutput(" ## ");
cfflush();
} while ( _fileInfo.size eq 0 || dateDiff("s", _fileInfo.lastmodified, now()) lte 3 )
writeOutput("<hr />")
_result = fileRead(_filePath);
writeDump(_result);
</cfscript>
As you can see it depends on clifton.exe and reads clifton.txt (clifton.txt is the result of executing clifton.exe).
How to make clifton.exe
You will use the Dart SDK and the dart2native tool to create the executable on your development computer. You can deploy the executable on your production server as a standalone (You don't need the Dart SDK installed on production).
Create a bin folder on your C drive.
From https://ssl-ccp.secureserver.net/repository/?origin=CALLISTO download the certificate sfig2.crt.pem (PEM) and save it inside c:\bin.
Inside c:\bin create a text file clifton.dart with the following code:
// clifton.dart
import 'dart:convert';
import 'dart:io';
main() {
//
const String _certFilePath = 'c:/bin/sfig2.crt.pem';
const String _responseFilePath = 'c:/bin/clifton.txt';
const String _uri =
'https://www.cliftoncameras.co.uk/all-brands-and-types-of-used-cameras/';
final File _file = new File(_responseFilePath);
final IOSink _sink = _file.openWrite();
final SecurityContext _context = new SecurityContext();
_context.setTrustedCertificates(_certFilePath);
final HttpClient _client = new HttpClient(context: _context);
saveSourceToFile(_client, _uri, _sink);
_client.close();
//
}
// get web page source then write it to file
void saveSourceToFile(HttpClient _client, String _uri, IOSink _sink) {
//
_client
.getUrl(Uri.parse(_uri))
.then((req) => req.close())
.then((res) => res.transform(Utf8Decoder()).listen((data) {
// as data is received write to file
_sink.write(data);
}, onDone: () {
_sink.close();
}));
//
}
Download and install the Dart SDK from https://dart.dev/
Open a terminal window and test the installation of Dart with dart --version (you should be able to run dart from any folder, if needed add dart to your PATH)
In a terminal window, change directory to c:\bin with cd c:\bin
Next, run dart2native clifton.dart -o clifton.exe
If compilation goes well you should have inside c:\bin the three files: clifton.dart, clifton.exe and the certificate sfig2.crt.pem.
If you wish you can test run clifton.exe in the terminal window, which should create the clifton.txt file.
Test the ColdFusion page which calls clifton.exe, waits for clifton.txt then outputs the content.
If you deploy in production you need both files clifton.exe and sfig2.crt.pem (the certificate).
Good luck!
Related
I'm attempting to build a simple client/server application in C++ using the IXWebsocket library, using the example code as an example, as shown on this page - https://machinezone.github.io/IXWebSocket/usage/
The code works fine when using an unsecured connection (as denoted by a ws:// url), but I can't get it working at all when using a secured connection (as denoted by a wss:// url).
The website states under the "TLS Support and configuration" section that
Then, secure sockets are automatically used when connecting to a wss://* url.
Additional TLS options can be configured by passing a ix::SocketTLSOptions instance to the setTLSOptions on ix::WebSocket (or ix::WebSocketServer or ix::HttpServer)
This implies to me that simply changing the ws:// url to a wss:// url is enough to instruct the application to secure the connection, however this does not work.
When I attempt to connect using a wss:// url, the server returns the following
WebSocketServer::handleConnection() HTTP status: 400 error: Error reading HTTP request line
The website goes on to say that
Additional TLS options can be configured by passing a ix::SocketTLSOptions instance to the setTLSOptions on ix::WebSocket (or ix::WebSocketServer or ix::HttpServer)
and...
Specifying certFile and keyFile configures the certificate that will be used to communicate with TLS peers. On a client, this is only necessary for connecting to servers that require a client certificate. On a server, this is necessary for TLS support.
This implies to me that for the server to support TLS, I must provide a cert file, and a key file.
The github repo includes the script generate_certs.sh which produces a series of certificates in pem format, which should be enough to get things working. Included among them are selfsigned-client-crt.pem and selfsigned-client-key.pem, which seem like obvious candidates, however they specifically state client in the names, which suggests that they should not be used in the server application, rather they belong in the client.
The website also includes the example snippet:
webSocket.setTLSOptions({
.certFile = "path/to/cert/file.pem",
.keyFile = "path/to/key/file.pem",
.caFile = "path/to/trust/bundle/file.pem", // as a file, or in memory buffer in PEM format
.tls = true // required in server mode
});
I have attempted to populate the certFile and keyFile properties, and specified "NONE" for the caFile property as explained in the example, however this results in the server application printing SocketServer::run() tls accept failed: error in handshake : SSL - The connection indicated an EOF to the console.
What's more, the example snippet listed above states "path/to/cert/file.pem" and "path/to/key/file.pem" but doesn't explicitly state whether those should be client, or server usage.
The example doesn't come with a complete runnable implementation, and doesn't explain clearly what is needed to make TLS work in this particular form, and I'm at a bit of a loss now.
There is an example application in the github repo, however it includes a number of different variations, all of which are far more complicated than this trivial example, and it is this trivial example that I need to get working so I can understand how to implement this further.
In my server application, I have implemented the following for the TLS options:
int port = 8443;
ix::WebSocketServer server(port);
ix::SocketTLSOptions tlsOptions;
tlsOptions.certFile = "certs/selfsigned-client-crt.pem";
tlsOptions.keyFile = "certs/selfsigned-client-key.pem";
tlsOptions.caFile = "NONE";
tlsOptions.tls = true; //Required for TLS
server.setTLSOptions(tlsOptions);
I am pretty sure that the issue in in how I've set up the key and cert files. I have used the client files here, but I also tried generating and signing a server cert and key, which also did not work.
I have even tried using the trusted key and cert for both the client and server applications, and still did not get a working TLS connection (the following files were generated by the generate_cert.sh script -
selfsigned-client-crt.pem, selfsigned-client-key.pem, trusted-ca-crt.pem, trusted-ca-key.pem, trusted-client-crt.pem, trusted-client-key.pem, trusted-server-crt.pem, trusted-server-key.pem, untrusted-ca-crt.pem, untrusted-ca-key.pem, untrusted-client-crt.pem, untrusted-client-key.pem
... none of which is a self signed server cert.
What I can gather from the example page is that I need to do the following to get this working.
Generate a server cert and key
Self sign the cert
Specify the cert and key file in the tlsOptions on the server
Set the tls property in tlsOptions to true on the server
Set the caFile property in tlsOptions on the server to "NONE"
Set the url in the client to a wss:// url
But this did not work when I tried it, so there's clearly something I've missed.
All I'm aiming to do for the moment is to use self signed certs so that I can test my client and server, both running on localhost.
If anybody can steer me in the right direction, I'd be immensely grateful. I've been on this for 4 days now and I'm really lost.
Many thanks
Check this file https://github.com/machinezone/IXWebSocket/blob/master/ws/test_ws.sh / it does a full client + server encrypted exchange.
Note that on macOS there are limitations, but on windows or linux, using mbedtls and openssl everything should work fine.
ps: You will need to supply the same set of certs on the client and on the server.
https://machinezone.github.io/IXWebSocket/build/
-DUSE_TLS=1 will enable TLS support
so I do the following :
mkdir build
cd build
cmake -DUSE_TLS=1 -DUSE_WS=1 ..
works for me
These are the steps I use:
1) I created new mapping inside CF Server => Server Settings => Mapping
logical path: /mysite
directory path: /Volumes/drive2/work/mysite
2) I restarted the server
/Applications/ColdFusion2018/cfusion/bin/coldfusion stop && /Applications/ColdFusion2018/cfusion/bin/coldfusion start
3) Using my preferred text editor, I created test.cfm inside /Volumes/drive2/work/mysite with the following contents
<cfdump var="#CGI#">
4) I then tried viewing the new file on my browser via
localhost:8500/mysite/test.cfm
I then get a 404 error. Exact message goes like "coldfusion.runtime.TemplateNotFoundException: File not found: /mysite/test.cfm"
I checked these 2 things:
I verified that /Volumes/drive2/work/mysite is readable by everyone (755 permission)
I verified that /Volumes/drive2/work/mysite/test.cfm is readable by everyone (644 permission)
Other than creating the mapping, the other configurations I've changed are:
created datasource for my app
Enabled debugging/logging but only after I got the first 404 error
Any ideas what I could be doing wrong? or perhaps other settings I should've set? I've added a screenshot of the mappings section below.
Thanks!
Edit: I'm using the built-in webserver provided by the standalone/developer edition. I'm also using localhost.
What you are attempting to do is not what ColdFusion mappings are for. ColdFusion mappings are used by ColdFusion code to access files. What you are attempting to do via a request like localhost:8500/mysite/test.cfm is access a folder through your web server. What you need to do for that is create a "virtual directory" using your web server admin.
You did not specify which web server you are using but it should be very easy to find documentation on how to accomplish what you need by searching your "web server name create virtual directory".
Here are a couple of examples for IIS and Apache.
IIS Virtual Directory
Apache Alias
If you are using the builtin Tomcat server, as we can assume by the use of localhost and port 8500, then follow the directions documented on the following page under the Adding a virtual directory for ColdFusion using the built-in Tomcat application server section.
ColdFusion Tomcat
We have been implementing GREG5.0 and using default configurations everything works fine. Once we replace the default localhost certificate in the wso2cabon.jks keystore with our own we receive "java.security.SignatureException: Signature length not correct: got 256 but was expecting 128" when we log into Store or Publisher using SSO.
We have removed the default keypair from wso2carbon.jks and added our own certificate. The password for our keystore and certificate are the same. We have updated all the configuration files per the wso2 carbon 4.4 documentation. We have updated JavaHome with local_policy.jar and us_export_policy.jar in order to allow for the longer key length.
The administrator console works great with no issues. If we change the login method of store or publisher to "basic" then it works fine. When we have the login method set to "SSO" we end up sitting on a blank page at this location https://servername/store/acs. We have the same result in the browser if we are running as a windows server or in console mode but, if we are running as a windows service then we have no error and no indication of what happened. If we are running in console mode then I get the error mentioned above spit out in the console.
I also noticed this behavior on Identity Server 5.0 when accessing dashboard.
We are running on windows.
Is there another location in WSO2 that I need to update to accomodate an increased key length?
Joe
The location I missed updating was the IdentityAlias in repository/deployment/server/jaggeryapps/store/config/store.json repository/deployment/server/jaggeryapps/publisher/config/publisher.json. Once I updated that value to match the alias of the keypair I was using in wso2carbon.jks that appeared as though it solved the keylength error and created another problem.
So now it was giving me a NullPointerException. I had provided the alias of our keypair but that was not the same as the alias for our certificate exported from our keypair that we loaded in client-truststore.jks. So I decided to set both alias' so they would match. With that change I was finally able to successfully able to access the store and publisher.
After some further testing it did not care what my keypair alias was as long as the value in IdentityAlias matched the alias of my certificate loaded in client-truststore.jks.
Hope this helps someone.
Joe
I have an issue that is described in this ticket.
I can´t do collectstatic uploads with django locally to our static.somesite.com since S3 adds s3.amazon.com to the url and then invalidates their own *.s3.amazon.com certificate.
I have set a dns pointer for static.somesite.com that points to the ip of the s3 service.
I have the AWS_S3_SECURE_URLS = False set.
Not sure how to solve it yet. This is the full error message. I understand completely why it is happening, there has to be a workaround? On our production server this works just fine. Just cant find the settings.
boto.https_connection.InvalidCertificateException:
Host static.somesite.com.s3.amazonaws.com returned an invalid certificate
(remote hostname "static.somesite.com.s3.amazonaws.com" does not match certificate)
{
'notAfter': 'Apr 9 23:59:59 2015 GMT',
'subjectAltName': (
('DNS', '*.s3.amazonaws.com'),
('DNS', 's3.amazonaws.com')),
'subject': (
(('countryName', u'US'),),
(('stateOrProvinceName', u'Washington'),),
(('localityName', u'Seattle'),),
(('organizationName', u'Amazon.com Inc.'),),
(('commonName', u'*.s3.amazonaws.com'),)
)
}
Been digging in the code for the transport app that I have been using. Seemed that it was picking up config settings from somewhere besides my django project settings and was overriding them.
A few years ago I was testing out google cloud storage for a google app engine test project which meant I installed "Gsutils" package globally. Guess what? Gsutils uses Boto too! So once I found out that I could set a boto config file I started looking for that. Sitting on OSX no file ~/.boto could be seen in the Finder or when listing the files in my home directory with ls -al. Alas, when I tried to create it with nano ~/.boto voilá! There was heaps of settings already there from the time I used Gsutils.
Once in there I disabled the
#https_validate_certificates = True
setting and everything works like a charm now.
I installed Coldfusion 8 trial version on my system (XP Professional sp3).
I created an Folder in the “C:/Coldfusion8/wwwroot” called “buildProject” containing an Index.cfm and some other .cfm files.
But I am unable to access the Neither my project files or CFIDE/Administrator
I tried the following URLS
http://localhost:8500/wwwroot/buildProject/
http://localhost:8500/CFIDE/administrator/index.cfm
http:// 127.0.0.1:8500/wwwroot/buildProject/
http:// 127.0.0.1:8500/CFIDE/administrator/index.cfm
http://localhost /wwwroot/buildProject/index.cfm
http://localhost /CFIDE/administrator/index.cfm
http://localhost /wwwroot/buildProject/
http://localhost /CFIDE/administrator/index.cfm
Firefox can't establish a connection to the server at 127.0.0.1:8500.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
• I cleared the browsing “History” from both IE and FF.
• I have restarted the CF server in the Control Panel >Administrative Tools > Services
• Even restarted the IIS
Getting the same error.
Further I was trying to access IE/FF via CFbuilder But still I am getting the error
“The connection was refused when attempting to contact [URL].”
If you connected Coldfusion to IIS, then you probably need to connect on port 80. Which you did try, but if you connected Coldfusion to IIS, then the document root is IIS's document root, not the document root you created your new directory in.
I believe the document root for IIS on XP is c:\inetpub\wwwroot.
So, try putting a test.cfm file in there that just contains "hello world" or something, and see if you can request it from there.
Hopefully you installed IIS first and were happy it was working before installing CF.
Try connecting to your IIS on http://localhost
You should get the default IIS .htm landing page , probably index.html or something, so at least you know IIS is working fine.
If you then try http://localhost/nosuchpage.htm you will see a 403 error (as long as you didnt specify to allow directory browsing). In the standard IIS error page you should be able to see
Physical Path D:\inetpub\wwwroot
or wherever IIS thinks your web root is. When you then install CF to use IIS (rather than standalone) it will use this path as your web root.
Rename your index.html file as index.cfm and connect to it on
http://localhost:8500/index.cfm
If vanilla html pages are working from the directory but .cfm pages are not then you probably need an CFIDE mapping (I think one quick workaround is simply to copy your CFIDE folder and drop it into web root).
What happens if you try typing this in as a url:
http://{your i.p. address}:8500/CFIDE/administrator/index.cfm
I bet it works