Scheduled Tasks and SSL

[parrot person]

I cannot get my scheduled tasks to run now that SSL is being used on a
production box (Windows 2k, MX 6.1, SunOne web server). They worked fine
before implementing SSL, and they still work if I access them directly by
browsing to them. I have confirmed that I have the right port set in the url
(443). For the url of the scheduled tasks in the CFAdmin, I have tried using
the IP address of the server, localhost, and the domain name that matches the
SSL cert; none work.

Nothing happens when the scheduled tasks are supposed to run. No database
work is done, and no emails are sent out. The error in the scheduler log is
always the same and unhelpful: "Error while executing task Connection Failure:
Status code unavailable"

If I try executing the scheduled tasks manually from the administrator, I get
the following message:

"There was an error running your scheduled task. Reasons for which scheduled
tasks might fail include:

The URL is a redirection URL.
The URL is protected by IIS NT Challenge/Response or Apache .htaccess
password. The Username and Password text fields for editing a scheduled task
are intended to support Basic Authentication only.
The Domain Name lookup failed. Try using the IP address of the domain whenever
possible.
The URL is an SSL site, but the SSL port was specified incorrectly.
The Web site is not responding.
The directory specified for published results does not exist."

None of these apply. I even get this error message if I try a test scheduled
task with no actual code and just a "Hello world" message.

I have tried looking online, both on livedocs and on here, and have seen a lot
of people with the same problem, but few answers and none that apply to our
situation. I have also seen the statement that Macromedia says that scheduled
tasks don't work at all, ever, with SSL. I find that hard to believe since the
error message contains the statement "The URL is an SSL site, but the SSL port
was specified incorrectly."

Is there any way to get this to work short of putting the scheduled tasks in a
non-SSL area?

[Kronin555]

I have scheduled tasks working just fine on an SSL site.

I'm not defining the port anywhere, just the URL:

[url]https://secure.mydomain.com/tasks/myTask.cfm[/url]

It runs every night without fail, and has been since we wrote it.

Environment:
SunOne web server, Solaris 8, MX 6.1

[xentrix]

You'll need to install the certificate into the CFMX keystore.

[url]http://www.houseoffusion.com/cf_lists/index.cfm/method=messages&Threadid=13865&forumid=4??[/url]

Andy

[Kronin555]

Xentrix,

Thanks for the link. I think this only applies to self-signed certs, however.
I didn't have to manually import the cert into the keystore, but I'm using a
Verisign cert.

I'm still bookmarking that page incase it comes up in the future, though.

[parrot person]

I have tried including and not including the port.

It is good to know that you have working scheduled tasks with SSL, but it
would be more helpful if I could identify *why* yours work and mine don't.

I wasn't responsible for setting up SSL, I will have to ask the network admin
what type of cert it is, since that apparently matters.

[Kronin555]

parrot person,

What JDK are you running Coldfusion MX on?

[parrot person]

The cert is by Entrust.

I'm not sure what JDK we are running.. does that mean what version of SunOne? It is version 6 (not sure 6.what)

[parrot person]

I read the page linked to by Xentrix, but that sounds like something to try if you site isn't working at all. Everything is browseable, it's just scheduled tasks that don't work...

[Kronin555]

You're going to need to import Entrust's root cert into your java keystore.

From here:
[url]http://www.caucho.com/quercus/faq/question.xtp?question_id=1306[/url]

"The Entrust ROOT CA cert is NOT in the JSSE distribution (cacerts file). You
may have to Export the Root CA cert for Entrust from Internet Explorer and
either import it into your local keystore or into the cacerts keystore prior to
attempting to import your cert against the CSR."

[parrot person]

Kronin555,

I can of course ask the network admin about the Entrust cert, but again, the
rest of the site is working. It is only scheduled tasks that do not work. I
would think that if the cert is the problem, the site as a whole would not
work.

We are using ColdFusion 6.1. I do not know what JDK is in use, nor how to
find that out.

[Kronin555]

parrot person,

it's not the cert that's the problem, it's the JDK recognizing the cert as
valid. The only time the JDK actually looks at the cert is when a scheduled
task is run, because Coldfusion (java, the JDK) is making a request to the web
server, which causes Coldfusion (java, the JDK) to ensure that the cert being
used to encrypt the connection is valid.

When a user requests a page on your site, that validity check is being made by
the user's browser, not the JDK on the server. The root Entrust cert is in the
user's browser, that's why it works fine (comes back as a valid certificate).
If the root Entrust cert isn't in the java keystore, then when java checks the
validity of the cert, it fails. Just because your site works when requested
from a browser doesn't mean it will work when requested from the JDK that is
running Coldfusion (which is what does the scheduled task calls). If you want
to test it, write a class that opens an SSL connection to your web server. Then
try to run that class (but make sure you're running it on the same JDK that
Coldfusion is running on, as the same user that Coldfusion runs as). That will
give you a definite yes/no whether it's a java keystore problem or not.

If you don't want to follow my advice, that's your perogative. SSL scheduled
tasks work for me, I'm using a Verisign cert. There have been known issues in
the past with Java verifying Entrust SSL certs. That's what points me to my
idea that the Entrust root cert isn't in your java keystore. Again: what JDK
are you using to run Coldfusion with?

[dimV]

1 point for Kronin555 :D