Add Let’s Encrypt Trust Certificates to Cold Fusion on Windows

Published on Author JF5 Comments

Getting this error when trying to use ColdFusion CFHTTP to connect to a site using Let’s Encrypt?

I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

You need to add their trust chain to you JRE.

I’m lazy and don’t touch Java too much so I always have to look up everything that the command line.

Here is the easiest way I found to get this done:

  1. Prep:
    1. Log into CF Admin, go to Java & JVM under Server Settings and find your Java Virtual Machine Path 
      1. Under that, you will find the security folder under something like C:\Program Files\Java\jdk1.8.0_45\jre\lib\security. Copy that folder to your Desktop. You will make changes in this folder, then copy the changes to the production folder. Make a backup of your security folder just in case!
    2. Download all of the PEM certs here into a folder you made on your desktop: https://letsencrypt.org/certificates/. Make sure to rename them as they are a .txt extension! Note that I tried just doing the root, then added them one by one. Eventually I just added all of them to the keystore.
    3. Download Portecle and unzip it a folder on your Desktop. it’s a Java GUI for managing certificates key store for Java.
    4. You now have three folders on your desktop.
  2. Finish the job:
    1. Open the Portecle folder and double-click on portecle.jar
    2. You will get a nice GUI interface.
    3. Click the folder icon, then find your Desktop security folder. You will see cacerts highlighted. Select it, then click open.
      portecle-step1
    4. Enter the default Java password “changeit” (unless you’ve done your job and actually changed it)
    5. Click the Import Trusted Certificate icon and go to your Desktop folder where you placed the downloaded Let’s Encrypt certificates.
      portecle-step2Pick the first one, click Import, then click Ok/Yes to everything.portecle-step3
    6. Complete until you have added all of the certs.
    7. Click SAVE in the main GUI window. Make sure to click save!
    8. Your cacerts file can now be copied to your production JRE path. You made a copy of the original beforehand, right?
    9. Restart ColdFusion services (using Task Manager, make sure that anything called Java* or Jetty is killed, then restarted).
  3.  Problems  – still getting an error?
    1. Make sure you are using the correct JRE path
    2. Make really sure you are using the correct JRE path
    3. See A

5 Responses to Add Let’s Encrypt Trust Certificates to Cold Fusion on Windows

  1. Downloaded Offline installer of JAVA 8 and it was working. I downloaded JAVA 8 from here.

    h t t p://offlineinstallersofts.com/download-java-8-jre-jdk-offline-installer-windows-mac-linux/

    • Avinash,

      I cannot recommend you or anyone download JVMs from anywhere but Oracle.

      I edited you comment so the hyperlink is not functional

    • Thanks, Craig!

      Added some text about renaming the extensions – IIRC they had .pem originally. They probably changed it to .txt to avoid security warnings?

      Also updated the project URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.