Error when loading ORT10LT (Lithuania) imagery layer

[Jurkis]

What steps will reproduce the problem?

1. Open JOSM and Find Lithuania
2. Open Imagery->ORT10LT (Lithuania)

What is the expected result?

ORT10LT (Lithuania)image file is loaded.

What happens instead?

An error occures (see attachment). If I try to load another imagery (Bing, Mapbox Satellite or other) everything is ok.

Please provide any additional information below. Attach a screenshot if possible.

URL:http://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2016-02-28 14:07:49 +0100 (Sun, 28 Feb 2016)
Build-Date:2016-02-28 22:44:23
Revision:9900
Relative:URL: ^/trunk

Identification: JOSM/1.5 (9900 or 9960 en) Windows 8.1 64-Bit
Memory Usage: 169 MB / 247 MB (66 MB allocated, but free)
Java version: 1.8.0_73-b02, Oracle Corporation, Java HotSpot(TM) Client VM
VM arguments: [-Duser.home=E:\PortableApps\JavaPortableLauncher\Data\AppData]
Dataset consistency test: No problems found

Plugins:
- HouseNumberTaggingTool (31772)
- Mapillary (32040)
- OpeningHoursEditor (31772)
- apache-commons (31895)
- apache-http (31895)
- buildings_tools (31895)
- editgpx (31772)
- terracer (31895)
- turnrestrictions (31895)

Last errors/warnings:
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[simon04]

ORT10LT is serving the content via HTTPS only and using a Let's Encrypt certificate which is not in the Java keystore: notice the redirection from ​http://mapproxy.openmap.lt/ort10lt to ​https://mapproxy.openmap.lt/ort10lt.

• You can manually add the needed certificate following ​https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html or ​http://alvinalexander.com/java/java-using-keytool-import-certificate-keystore
• Or contact the operator of mapproxy.openmap.lt to use a different certificate and/or also support HTTP.

[wiktorn]

Maybe we can have non-validating https client in JOSM for such cases?

I guess, that this could be done creating SSLContext with TrustManager, that accepts all servers, and use this socket factory, to make connections to imagery provider. But I haven't tried this yet in Java.

@team:
What do you think about such approach? (actually this is already the case in Poland, where some services are protected by CA that's not present in Java distribution)

[Don-vip]

I think #12264 is the way to go: we can embed IdenTrust CA until Oracle adds it.

[wiktorn]

I guess that I haven't added IdenTrust CA myself, and it looks like on Java 9 it's already bundled by Oracle.

[Don-vip]

It's not. I just have checked with latest builds (jdk9 b108 + jigsaw b109) as follows:

keytool -list -v -keystore /opt/jdk-8-ea/jre/lib/security/cacerts -storepass changeit | grep Owner | sort > jdk8ea.txt
keytool -list -v -keystore /opt/jdk-9/lib/security/cacerts -storepass changeit | grep Owner | sort > jdk9.txt
keytool -list -v -keystore /opt/jdk-9-jigsaw/lib/security/cacerts -storepass changeit | grep Owner | sort > jdk9-jigsaw.txt

the list is the same for JDK8 and JDK9. It does not include IdenTrust.

[simon04]

Fixed in the course of #12264.