[Geoserver-users] Geoserver 2.1.3 + Tomcat 7 + SSL

Hi everyone!

I need some help to configure Geoserver under SSL!

I’ve just configured SSL to work fine, following these instructions: http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50 - return the topp:states GML.

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers
- The map is shown fine and I can click to show attributes.

But when I try to run a Demo request, for example, WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Does this error occurs because the Demo interface is not configured to work with SSL? I didn’t try to implement a client to work with this SSL…
Can someone help me to clarify this issue?

Best regards,


Rodrigo C. Antonialli

Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli

Hi Rodrigo, what is the exact URL of the demo request. The URL must include "tupi.rc.unesp.br" as the host name !!!

SSL connections are transparent to geoserver, so I assume you have a problem with the URL.

Cheers
Christian

Zitat von Rodrigo Antonialli <rcantonialli@anonymised.com>:

Hi everyone!

I need some help to configure Geoserver under SSL!

I've just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50
*- return the topp:states GML.*

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers

* - The map is shown fine and I can click to show attributes.*

But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:
*
<servlet-exception>
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
</servlet-exception>*

Does this error occurs because the Demo interface is not configured to work
with SSL? I didn't try to implement a client to work with this SSL...
Can someone help me to clarify this issue?

Best regards,

--
Rodrigo C. Antonialli

Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
              rcantonialli@anonymised.com
              Skype: rc_antonialli

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Hi Christian,

The URL of the demo request is: https://tupi.rc.unesp.br:443/geoserver/wfs

I also tried https://tupi.rc.unesp.br/geoserver/wfs and also https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50

Another test with this URL: https://tupi.rc.unesp.br/geoserver/wfs?request=getCapabilities

It works and I request directly from my browser (the same one I’m acessing geoserver interface), but it doesn’t work when I use it in demo interface ( I clear the body).

By these tests, it doesn’t seen to be the problem =/

Is there any configuration I should change in geoserver?

Best Regard,

On Fri, May 18, 2012 at 5:07 AM, <christian.mueller@anonymised.com> wrote:

Hi Rodrigo, what is the exact URL of the demo request. The URL must include “tupi.rc.unesp.br” as the host name !!!

SSL connections are transparent to geoserver, so I assume you have a problem with the URL.

Cheers
Christian

Zitat von Rodrigo Antonialli <rcantonialli@anonymised.com>:

Hi everyone!

I need some help to configure Geoserver under SSL!

I’ve just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50

- return the topp:states GML.

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers

    • The map is shown fine and I can click to show attributes.*

But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:
*

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

*

Does this error occurs because the Demo interface is not configured to work
with SSL? I didn’t try to implement a client to work with this SSL…
Can someone help me to clarify this issue?

Best regards,


Rodrigo C. Antonialli

Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli


This message was sent using IMP, the Internet Messaging Program.


Rodrigo C. Antonialli

Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli

On Thu, May 17, 2012 at 7:10 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Hi everyone!

I need some help to configure Geoserver under SSL!

I've just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50
- return the topp:states GML.

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers
- The map is shown fine and I can click to show attributes.

But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:

<servlet-exception>
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
</servlet-exception>

The demo pages are sending the details to a server side servlet, which in turn
does the actual post emulating a client using Java own URLConnection.
If your certificate is not trusted the above error will happen.

The solution for URLConnection is not an easy one:
http://kerbtier.ch/2009/01/31/urlconnection-and-https

Afaik if we rewrite the code using commons-httpclient it is instead
possible to ignore invalid certificates... requires some work though

Cheers
Andrea

--
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

Zitat von Andrea Aime <andrea.aime@anonymised.com>:

On Thu, May 17, 2012 at 7:10 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Hi everyone!

I need some help to configure Geoserver under SSL!

I've just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50
- return the topp:states GML.

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers
- The map is shown fine and I can click to show attributes.

But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:

<servlet-exception>
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
</servlet-exception>

The demo pages are sending the details to a server side servlet, which in turn
does the actual post emulating a client using Java own URLConnection.
If your certificate is not trusted the above error will happen.

The solution for URLConnection is not an easy one:
http://kerbtier.ch/2009/01/31/urlconnection-and-https

Afaik if we rewrite the code using commons-httpclient it is instead
possible to ignore invalid certificates... requires some work though

Cheers
Andrea

Yep, a solution is to implement an X509TrustManger trusting each certificate. I did something similar for my CAS tests here.

https://svn.codehaus.org/geoserver/trunk/src/security/cas/src/test/java/org/geoserver/security/cas/LiveCasData.java

Perhaps we should open a jira issue. If somebody can give me a starting point (where the url connection is created), I could try to solve the problem.

Christian

--
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

On Fri, May 18, 2012 at 5:15 PM, <christian.mueller@anonymised.com> wrote:

Yep, a solution is to implement an X509TrustManger trusting each
certificate. I did something similar for my CAS tests here.

https://svn.codehaus.org/geoserver/trunk/src/security/cas/src/test/java/org/geoserver/security/cas/LiveCasData.java

Perhaps we should open a jira issue. If somebody can give me a starting
point (where the url connection is created), I could try to solve the
problem.

org.vfny.geoserver.wfs.servlets.TestWfsPost in the wfs module
Veeery old code

Cheers
Andrea

--
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

Hello Andrea,

Your advice about the trusted certificate could help me solve the problem.

I just imported the cert file to the JVM default keystore:

keytool -import -alias tomcat -file cacert.der -keystore $JAVA_HOME/jre/lib/security/cacerts

(My JAVA_HOME var is the root JDK install dir)

It was necessary to restart tomcat… after the restart, I was able to run a demo request using https…

As my client will run under the same server/tomcat then geoserver, I also created a simple client test:


URL wfs = new URL(“https://tupi.rc.unesp.br/geoserver/wfs?request=getCapabilities”);

HttpURLConnection con = (HttpURLConnection) wfs.openConnection();

con.setRequestMethod(“GET”);
con.setDoOutput(true);
con.connect();

int responseCode = con.getResponseCode();

out.println(responseCode);
out.println();

Writer writer = new StringWriter();

char buffer = new char[1024];

Reader reader = new BufferedReader(new InputStreamReader(con.getInputStream()));

int n;

while((n = reader.read(buffer)) != -1){
writer.write(buffer, 0, n);
}

out.println(writer.toString());


Remembering this was just to see the request result, and nothing more!

So, it seens the problem was not exactly with geoserver, but with my SSL configuration and certificate…

Thanks for your help guys!

On Fri, May 18, 2012 at 12:15 PM, <christian.mueller@anonymised.com> wrote:

Zitat von Andrea Aime <andrea.aime@anonymised.com>:

On Thu, May 17, 2012 at 7:10 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Hi everyone!

I need some help to configure Geoserver under SSL!

I’ve just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat

I can login in web admin interface, and preview some layers. Examples:

https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50

  • return the topp:states GML.

https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers

  • The map is shown fine and I can click to show attributes.

But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The demo pages are sending the details to a server side servlet, which in turn
does the actual post emulating a client using Java own URLConnection.
If your certificate is not trusted the above error will happen.

The solution for URLConnection is not an easy one:
http://kerbtier.ch/2009/01/31/urlconnection-and-https

Afaik if we rewrite the code using commons-httpclient it is instead
possible to ignore invalid certificates… requires some work though

Cheers
Andrea

Yep, a solution is to implement an X509TrustManger trusting each certificate. I did something similar for my CAS tests here.

https://svn.codehaus.org/geoserver/trunk/src/security/cas/src/test/java/org/geoserver/security/cas/LiveCasData.java

Perhaps we should open a jira issue. If somebody can give me a starting point (where the url connection is created), I could try to solve the problem.

Christian


Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-users mailing list
Geoserver-users@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


This message was sent using IMP, the Internet Messaging Program.


Rodrigo C. Antonialli

Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli