Try deleting the certs form your keyfile then re-adding, which should get rid of any dupes.
-----Original Message----- From: [EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 October 2006 20:22 To: CF-Talk Subject: CFHTTP and HTTPS/SSL and good/bad certs Hopefully there is an SSL guru out there that can shed some light on what I'm dealing with. I'm trying to use CFHTTP to send and receive XML/SOAP with a Microsoft adCenter API webservice. This all used to work before they switched from HTTP to HTTPS URLs for their API. Even after the initial switch to HTTPS, most of the app still worked - until a more recent change from the "adCenter.msn.com" domain URLs to newer ones based on the domain of "adCenter.microsoft.com". Even now it works on some requests one minute, and fails on the exact same request the next. Sometimes it makes it through a couple of requests and then fails, sometimes it never succeeeds. Today I took the debugging approach of looking at my CF server's JVM logs by turning on the SSL tracing option. Since it's my testing server, I can stop the service, rename the log, turn it on, run a test of a single CFHTTP request, turn it back off and rename the log file. That way I know that everything in the log file is related to that request. What I see is both interesting and confusing. All of the certs are imported as soon as I do the CFHTTP, which is how it is supposed to work. I then trace through it's attempt to use a chained (3 levels) cert whose domain matches what I am trying to access, and see it fail with "certificate_unknown." It then starts to unwind and does a closeSocket(), IOexception, etc. THEN IT GETS WEIRD. The very next line in the log is another ClientHELLO to the server, followed by the returned ServerHELLO, and a repeat of the attempt to use the 3-level cert, which this time succeeds! Back on my IE screen where the CF script is running, I see the results of a successful webservice call. My first question here is "What's up with the 2 calls to the remote server?" I only did one CFHTTP - does the code for CFHTTP do an automatic retry? The next question is this: Is it possible that I might have multiple certs loaded into the keystore for the same sites/domains? The most recent certs for the API URLs were loaded in manually with keytool, using the certs obtained from IE when browsing the API URLs. I ask that because when I look at the log, even though the identifying information for the certs are the same in both attempts, the actual keys are different - the dates are different and the modulus info is different. Could it be that my keystore has dupes in it and that some of them are actually bad? I tried to use the help info from keytool to see if there was a way, in the case that my cacerts file has multiple certs, to clean it up, but if the answer was there I didn't catch it. OK, now for the second try - I run the same script again (just hitting F5), and this time it fails with a "connection error" from CFHTTP. I go and look at the log file, and sure enough there is no "found trusted certificate" message in it this time. However, when I look for where it sends the ALERT message with the "certificate_unknown" description, I find it THREE times. Guys, I really to buy a vowel on this one. Maybe all of them. Thanks, Reed BTW - anyone out there using CF or Java to communicate with the adCenter API?! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255726 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
