Have you ever seen the error message “ErrorDetail I/O Exception: peer not authenticated” when working with Coldfusion 7′s CFHTTP? I hadn’t until recently, and it turns out I found an interesting bug with Coldfusion7 running on top of Windows 2003.
I ran into this while building a PayPal payment processor, and wasted too much time thinking this was a username and password issue, or possibly a problem with the host name I was using, but it wasn’t. It was extra frustrating because my test PayPal code worked just fine if I created an html form and posted directly to PayPal. Also, the same code worked perfectly in production, just not on my development server.
After hours of googling and trial and error I found my solution thanks to Steve Erat. Basically Coldfusion 7 isn’t able to handshake securely with PayPal ( Verisign ) because the server doesn’t have PayPal’s certificate in the key store. You can read in depth about what’s happening on Steve’s blog post here.
So my solution ended up being this
- Download the verisign.cer certificate from my production server
- Import verisign.cer into the JDK that comes with Coldfusion
- Restart Coldfusion and IIS
I tried all sorts of things from installing every windows certificate management features, upgrading my JDK and having Coldfusion use that, apply all the latest service packs and updates to my server, changing any paypal setting I can think of. All I needed to do was this.
- Drop to CMD prompt
- Run the keytool that came installed with Coldfusion
“C:CFusionMX7runtimejrebinkeytool -import -trustcacerts -keystore C:CFusionMX7runtimejrelibsecuritycacerts -storepass changeit -noprompt -alias PayPal -file c:verisign.cer”
I couldn’t find this solution anywhere else online besides Steve’s site, so this is a rebroadcast in case somebody else hits this issue. Also, at the time of writing, the test payment hostname for PayPal is pilot-payflowpro.paypal.com.