Modify

Opened 21 months ago

Closed 21 months ago

Last modified 21 months ago

#19872 closed enhancement (fixed)

Cannot access HTTPS Dutch WMTS servers anymore after switching to different root CA

Reported by: SanderH Owned by: Don-vip
Priority: normal Milestone: 20.09
Component: Core imagery Version:
Keywords: template_report netherlands certificate Cc:

Description

What steps will reproduce the problem?

  1. Try to show WMTS imagery from https://geodata.nationaalgeoregister.nl/luchtfoto/rgb/wmts?request=GetCapabilities

What is the expected result?

Imagery is shown

What happens instead?

Imagery is not shown, but instead an SSL error:

2020-10-01 19:07:05.311 WARNING: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
        at sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at org.openstreetmap.josm.tools.Http1Client.performConnection(Http1Client.java:78)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:148)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:124)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObject(JCSCachedTileLoaderJob.java:315)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.run(JCSCachedTileLoaderJob.java:226)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 23 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 29 more

Please provide any additional information below. Attach a screenshot if possible.

A few years ago we had the same error: https://josm.openstreetmap.de/ticket/14649

This was fixed by implementing https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

Since yesterday, the imagery provider has implemented a new certificate pointing to a new root CA "https://cert.pkioverheid.nl", more specifically this one: "Staat der Nederlanden EV Root CA" http://cert.pkioverheid.nl/EVRootCA.cer

Full explanation of the global government replacement plan (in Dutch): https://www.logius.nl/actueel/blog-pkioverheid-certificaat-vervangingsplan
Summary: Organisations must use the new certificates before 2020-10-01, and eventually the current G3 root will be revoked on 2021-01-31.

Please update the CertificateAmendment class to allow us to view aerial imagery for the Netherlands with this new CA.

URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2020-09-25 17:47:53 +0200 (Fri, 25 Sep 2020)
Build-Date:2020-09-26 01:30:51
Revision:17061
Relative:URL: ^/trunk

Identification: JOSM/1.5 (17061 nl) Windows 10 64-Bit
OS Build number: Windows 10 Pro 2004 (19041)
Memory Usage: 1581 MB / 3556 MB (320 MB allocated, but free)
Java version: 1.8.0_261-b12, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel
Screen: \Display0 1920x1200 (scaling 1.0x1.0), \Display1 1920x1200 (scaling 1.0x1.0)
Maximum Screen Size: 1920x1200
Best cursor sizes: 16x16 -> 32x32, 32x32 -> 32x32
VM arguments: [-Dsun.java2d.opengl=True]
Dataset consistency test: No problems found

Plugins:
+ DirectDownload (35552)
+ FixAddresses (35343)
+ Mapillary (1.5.25)
+ OpeningHoursEditor (35414)
+ PicLayer (35405)
+ apache-commons (35524)
+ apache-http (35092)
+ ejml (35313)
+ geotools (35169)
+ geotools-wfs (22.0.1)
+ graphview (35405)
+ jaxb (35092)
+ jna (35092)
+ jts (35122)
+ measurement (35405)
+ nl-pdok-report (0.4)
+ nl_bag (0.6)
+ ods-bag (0.6.19)
+ opendata (35513)
+ opendataservices (0.6.19)
+ photo_geotagging (35499)
+ photoadjust (35405)
+ poly (35248)
+ reverter (35556)
+ scripting (30798)
+ turnlanes (35405)
+ undelete (35521)
+ utilsplugin2 (35487)
+ waydownloader (35405)

Tagging presets:
+ %UserProfile%\Tools\JOSM\Presets_Monuments.zip

Map paint styles:
- https://josm.openstreetmap.de/josmfile?page=Styles/AddressValidator&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_and_Road_Attributes&zip=1
- %UserProfile%\Tools\JOSM\NL_traffic_signs\Styles_Traffic_signs-style.mapcss
- http://duinoord.home.xs4all.nl/OSM/JOSM/NL_traffic_signs/Styles_Traffic_signs-style.mapcss
- <josm.pref>\plugins\Ods-bag-style.mapcss
- <josm.pref>\plugins\Ods-bag-style-0.6.8.mapcss
- http://mijndev.openstreetmap.nl/~allroads/JOSM/Styles/Road_Extended_JOSM_style.zip
- https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Noname&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/NumberedCycleNodeNetworks&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/NumberedWalkingNodeNetworks&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features_ryg&style&zip=1
- %UserProfile%\Tools\JOSM\FI_traffic_signs\fisigns-all.mapcss

Validator rules:
+ <josm.pref>\validator\address_outside_building.mapcss
+ <josm.pref>\validator\start_date_is_null.mapcss

Last errors/warnings:
- 374006,514 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,548 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,553 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,553 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,577 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,614 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,615 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,616 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,667 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,667 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Attachments (0)

Change History (6)

comment:1 Changed 21 months ago by Don-vip

Component: External imagery sourceCore imagery
Keywords: netherlands certificate added
Milestone: 20.09
Owner: changed from team to Don-vip
Status: newassigned
Type: defectenhancement

comment:2 Changed 21 months ago by smootheFiets

Just to confirm that this fix is extremely important to the Dutch OSM community. This is crucial imagery for us. I'm happy to see this ticket assigned to 20.09, which I take to mean a fix is imminent. Big relief!

comment:3 Changed 21 months ago by Don-vip

Resolution: fixed
Status: assignedclosed

In 17082/josm:

fix #19872 - update expired Dutch CA by new one

comment:4 Changed 21 months ago by Don-vip

Thanks for the notice!

comment:5 Changed 21 months ago by FrankOverman

Why is this one, as solved in 17082, not included in the Changelog for 17084 here:
https://josm.openstreetmap.de/wiki/Changelog

Sorry, it is listed in the SVN list...

Last edited 21 months ago by FrankOverman (previous) (diff)

comment:6 Changed 21 months ago by Klumbumbus

https://josm.openstreetmap.de/wiki/Changelog is a summary which doesn't included every change. Since r17082 is probably not interesting for the majority of mappers I didn't add it there.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Don-vip.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.