Getting this error when trying to use ColdFusion CFHTTP to connect to a site using Let’s Encrypt?
I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
You need to add their trust chain to you JRE.
I’m lazy and don’t touch Java too much so I always have to look up everything that the command line.
Here is the easiest way I found to get this done:
- Prep:
- Log into CF Admin, go to Java & JVM under Server Settings and find your Java Virtual Machine Path
- Under that, you will find the security folder under something like C:\Program Files\Java\jdk1.8.0_45\jre\lib\security. Copy that folder to your Desktop. You will make changes in this folder, then copy the changes to the production folder. Make a backup of your security folder just in case!
- Download all of the PEM certs here into a folder you made on your desktop: https://letsencrypt.org/certificates/. Make sure to rename them as they are a .txt extension! Note that I tried just doing the root, then added them one by one. Eventually I just added all of them to the keystore.
- Download Portecle and unzip it a folder on your Desktop. it’s a Java GUI for managing certificates key store for Java.
- You now have three folders on your desktop.
- Log into CF Admin, go to Java & JVM under Server Settings and find your Java Virtual Machine Path
- Finish the job:
- Open the Portecle folder and double-click on portecle.jar
- You will get a nice GUI interface.
- Click the folder icon, then find your Desktop security folder. You will see cacerts highlighted. Select it, then click open.
- Enter the default Java password “changeit” (unless you’ve done your job and actually changed it)
- Click the Import Trusted Certificate icon and go to your Desktop folder where you placed the downloaded Let’s Encrypt certificates.
Pick the first one, click Import, then click Ok/Yes to everything.
- Complete until you have added all of the certs.
- Click SAVE in the main GUI window. Make sure to click save!
- Your cacerts file can now be copied to your production JRE path. You made a copy of the original beforehand, right?
- Restart ColdFusion services (using Task Manager, make sure that anything called Java* or Jetty is killed, then restarted).
- Problems – still getting an error?
- Make sure you are using the correct JRE path
- Make really sure you are using the correct JRE path
- See A
Thank you for this, very nice walktrough
Downloaded Offline installer of JAVA 8 and it was working. I downloaded JAVA 8 from here.
h t t p://offlineinstallersofts.com/download-java-8-jre-jdk-offline-installer-windows-mac-linux/
Avinash,
I cannot recommend you or anyone download JVMs from anywhere but Oracle.
I edited you comment so the hyperlink is not functional
Thanks JF. That worked on first try. The link to portecle didn;t have a download This one does. https://sourceforge.net/projects/portecle/ , and it is not totally intuitive that the PEM files need to have the extension changed to “.pem”
Thanks, Craig!
Added some text about renaming the extensions – IIRC they had .pem originally. They probably changed it to .txt to avoid security warnings?
Also updated the project URL.
Thanks man, you just saved my life!