Hello Andrea,
Your advice about the trusted certificate could help me solve the problem.
I just imported the cert file to the JVM default keystore:
keytool -import -alias tomcat -file cacert.der -keystore $JAVA_HOME/jre/lib/security/cacerts
(My JAVA_HOME var is the root JDK install dir)
It was necessary to restart tomcat… after the restart, I was able to run a demo request using https…
As my client will run under the same server/tomcat then geoserver, I also created a simple client test:
URL wfs = new URL(“https://tupi.rc.unesp.br/geoserver/wfs?request=getCapabilities”);
HttpURLConnection con = (HttpURLConnection) wfs.openConnection();
con.setRequestMethod(“GET”);
con.setDoOutput(true);
con.connect();
int responseCode = con.getResponseCode();
out.println(responseCode);
out.println();
Writer writer = new StringWriter();
char buffer = new char[1024];
Reader reader = new BufferedReader(new InputStreamReader(con.getInputStream()));
int n;
while((n = reader.read(buffer)) != -1){
writer.write(buffer, 0, n);
}
out.println(writer.toString());
Remembering this was just to see the request result, and nothing more!
So, it seens the problem was not exactly with geoserver, but with my SSL configuration and certificate…
Thanks for your help guys!
On Fri, May 18, 2012 at 12:15 PM, <christian.mueller@anonymised.com> wrote:
Zitat von Andrea Aime <andrea.aime@anonymised.com>:
On Thu, May 17, 2012 at 7:10 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:
Hi everyone!
I need some help to configure Geoserver under SSL!
I’ve just configured SSL to work fine, following these instructions:
http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
I can login in web admin interface, and preview some layers. Examples:
https://tupi.rc.unesp.br/geoserver/topp/ows?service=WFS&version=1.0.0&request=GetFeature&typeName=topp:states&maxFeatures=50
- return the topp:states GML.
https://tupi.rc.unesp.br/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=780&height=330&srs=EPSG:4326&format=application/openlayers
- The map is shown fine and I can click to show attributes.
But when I try to run a Demo request, for example,
WFS_GetCapabilities-1.0.xml, or one of the above, it shows me the error:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
The demo pages are sending the details to a server side servlet, which in turn
does the actual post emulating a client using Java own URLConnection.
If your certificate is not trusted the above error will happen.
The solution for URLConnection is not an easy one:
http://kerbtier.ch/2009/01/31/urlconnection-and-https
Afaik if we rewrite the code using commons-httpclient it is instead
possible to ignore invalid certificates… requires some work though
Cheers
Andrea
Yep, a solution is to implement an X509TrustManger trusting each certificate. I did something similar for my CAS tests here.
https://svn.codehaus.org/geoserver/trunk/src/security/cas/src/test/java/org/geoserver/security/cas/LiveCasData.java
Perhaps we should open a jira issue. If somebody can give me a starting point (where the url connection is created), I could try to solve the problem.
Christian
–
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549
http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf
Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Geoserver-users mailing list
Geoserver-users@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
This message was sent using IMP, the Internet Messaging Program.
–
Rodrigo C. Antonialli
Campinas - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli