Modify

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#16527 closed defect (othersoftware)

LetsEncrypt certificate is not found on macOS

Reported by: mwagner@… Owned by: team
Priority: normal Milestone:
Component: Core Version:
Keywords: template_report tls ssl certificate security Cc:

Description

What steps will reproduce the problem?

  1. In Imagery Preferences add a new TMS using the URL as follows:

https://www.webgis.gov.sc/mapcache/tms/1.0.0/aerial_photo@Custom3857/{zoom}/{x}/{-y}.png

  1. From the Imagery menu select the new service
  2. "Error: Problem loading tile" is shown.

What is the expected result?

An aerial photo should be loaded

What happens instead?

Error: Problem loading tile is shown

Please provide any additional information below. Attach a screenshot if possible.

The service is accessible through HTTPS and a LetsEncrypt certificate is registered on the TMS server. Adding the same custom TMS to the iD Editor on the OpenStreetMap website works without any issues.

URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2018-07-09 01:47:59 +0200 (Mon, 09 Jul 2018)
Build-Date:2018-07-08 23:50:14
Revision:14026
Relative:URL: ^/trunk

Identification: JOSM/1.5 (14026 en) Mac OS X 10.13.6
OS Build number: Mac OS X 10.13.6 (17G65)
Memory Usage: 869 MB / 1820 MB (387 MB allocated, but free)
Java version: 1.8.0_181-b13, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
Screen: Display 722475533 1920x1080
Maximum Screen Size: 1920x1080
VM arguments: [-Djava.library.path=/Applications/JOSM.app/Contents/MacOS, -DLibraryDirectory=${HOME}/Library, -DDocumentsDirectory=${HOME}/Documents, -DApplicationSupportDirectory=${HOME}/Library/Application Support, -DCachesDirectory=${HOME}/Library/Caches, -DSandboxEnabled=false, -Dapple.laf.useScreenMenuBar=true, -Dcom.apple.macos.use-file-dialog-packages=true, -Dcom.apple.macos.useScreenMenuBar=true, -Dcom.apple.mrj.application.apple.menu.about.name=JOSM, -Dcom.apple.smallTabs=true]
Dataset consistency test: No problems found

Plugins:
+ Mapillary (v1.5.14+post13733)
+ apache-commons (34389)
+ apache-http (34389)
+ buildings_tools (34212)
+ ejml (34389)
+ geotools (34125)
+ jts (34206)
+ opendata (34389)
+ todo (30305)
+ utilsplugin2 (34389)

Last errors/warnings:
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- W: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Attachments (0)

Change History (7)

comment:1 Changed 3 years ago by Klumbumbus

Component: CoreCore imagery

comment:2 Changed 3 years ago by Don-vip

Keywords: tls ssl certificate security added

Probably a macOS issue. Do you have any file named "DST_Root_CA_X3.pem" or "DST_Root_CA_X3.crt" on your system? If so, where?

comment:3 Changed 3 years ago by mwagner@…

The certificate is there and is stored in Keychain: /System/Library/Keychains/SystemRootCertificates.keychain
The certificate is also listed under "Manage Certificates" in the Java Control Panel.

comment:4 Changed 3 years ago by Don-vip

Component: Core imageryCore
Summary: JOSM fails to load imagery from custom TMSLetsEncrypt certificate is not found on macOS

comment:5 Changed 3 years ago by stoecker

Resolution: wontfix
Status: newclosed

This server does not sent a proper certificate chain. Thus we'd need to support the intermediate LE-cert directly, which we don't want.

https://www.ssllabs.com/ssltest/analyze.html?d=www.webgis.gov.sc&s=196.13.208.22&latest

@mwagner:

I'd suggest you contact the operators of the server and tell them to fix this issue and maybe a bunch of the many others they have.

Until then use http, which is equally secure for this server.

comment:6 Changed 3 years ago by mwagner@…

Many thanks for your help! We solved the issue with the incomplete certificate chain and are currently working to fix the other security related issues you referred to.

comment:7 Changed 3 years ago by Don-vip

Resolution: wontfixothersoftware

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.