Cannot access HTTPS Dutch WMTS servers anymore after switching to different root CA

[SanderH]

What steps will reproduce the problem?

1. Try to show WMTS imagery from ​https://geodata.nationaalgeoregister.nl/luchtfoto/rgb/wmts?request=GetCapabilities

What is the expected result?

Imagery is shown

What happens instead?

Imagery is not shown, but instead an SSL error:

2020-10-01 19:07:05.311 WARNING: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
        at sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at org.openstreetmap.josm.tools.Http1Client.performConnection(Http1Client.java:78)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:148)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:124)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObject(JCSCachedTileLoaderJob.java:315)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.run(JCSCachedTileLoaderJob.java:226)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 23 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 29 more

Please provide any additional information below. Attach a screenshot if possible.

A few years ago we had the same error: https://josm.openstreetmap.de/ticket/14649

This was fixed by implementing https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

Since yesterday, the imagery provider has implemented a new certificate pointing to a new root CA "​https://cert.pkioverheid.nl", more specifically this one: "Staat der Nederlanden EV Root CA" ​http://cert.pkioverheid.nl/EVRootCA.cer

Full explanation of the global government replacement plan (in Dutch): ​https://www.logius.nl/actueel/blog-pkioverheid-certificaat-vervangingsplan
Summary: Organisations must use the new certificates before 2020-10-01, and eventually the current G3 root will be revoked on 2021-01-31.

Please update the CertificateAmendment class to allow us to view aerial imagery for the Netherlands with this new CA.

URL:https://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2020-09-25 17:47:53 +0200 (Fri, 25 Sep 2020)
Build-Date:2020-09-26 01:30:51
Revision:17061
Relative:URL: ^/trunk

Identification: JOSM/1.5 (17061 nl) Windows 10 64-Bit
OS Build number: Windows 10 Pro 2004 (19041)
Memory Usage: 1581 MB / 3556 MB (320 MB allocated, but free)
Java version: 1.8.0_261-b12, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel
Screen: \Display0 1920x1200 (scaling 1.0x1.0), \Display1 1920x1200 (scaling 1.0x1.0)
Maximum Screen Size: 1920x1200
Best cursor sizes: 16x16 -> 32x32, 32x32 -> 32x32
VM arguments: [-Dsun.java2d.opengl=True]
Dataset consistency test: No problems found

Plugins:
+ DirectDownload (35552)
+ FixAddresses (35343)
+ Mapillary (1.5.25)
+ OpeningHoursEditor (35414)
+ PicLayer (35405)
+ apache-commons (35524)
+ apache-http (35092)
+ ejml (35313)
+ geotools (35169)
+ geotools-wfs (22.0.1)
+ graphview (35405)
+ jaxb (35092)
+ jna (35092)
+ jts (35122)
+ measurement (35405)
+ nl-pdok-report (0.4)
+ nl_bag (0.6)
+ ods-bag (0.6.19)
+ opendata (35513)
+ opendataservices (0.6.19)
+ photo_geotagging (35499)
+ photoadjust (35405)
+ poly (35248)
+ reverter (35556)
+ scripting (30798)
+ turnlanes (35405)
+ undelete (35521)
+ utilsplugin2 (35487)
+ waydownloader (35405)

Tagging presets:
+ %UserProfile%\Tools\JOSM\Presets_Monuments.zip

Map paint styles:
- https://josm.openstreetmap.de/josmfile?page=Styles/AddressValidator&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_and_Road_Attributes&zip=1
- %UserProfile%\Tools\JOSM\NL_traffic_signs\Styles_Traffic_signs-style.mapcss
- http://duinoord.home.xs4all.nl/OSM/JOSM/NL_traffic_signs/Styles_Traffic_signs-style.mapcss
- <josm.pref>\plugins\Ods-bag-style.mapcss
- <josm.pref>\plugins\Ods-bag-style-0.6.8.mapcss
- http://mijndev.openstreetmap.nl/~allroads/JOSM/Styles/Road_Extended_JOSM_style.zip
- https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Noname&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/NumberedCycleNodeNetworks&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/NumberedWalkingNodeNetworks&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features&style&zip=1
- https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features_ryg&style&zip=1
- %UserProfile%\Tools\JOSM\FI_traffic_signs\fisigns-all.mapcss

Validator rules:
+ <josm.pref>\validator\address_outside_building.mapcss
+ <josm.pref>\validator\start_date_is_null.mapcss

Last errors/warnings:
- 374006,514 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,548 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,553 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,553 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,577 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,614 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,615 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,616 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,667 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 374006,667 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[smootheFiets]

Just to confirm that this fix is extremely important to the Dutch OSM community. This is crucial imagery for us. I'm happy to see this ticket assigned to 20.09, which I take to mean a fix is imminent. Big relief!

[Don-vip]

In 17082/josm:

fix #19872 - update expired Dutch CA by new one

[Don-vip]

Thanks for the notice!

[FrankOverman]

Why is this one, as solved in 17082, not included in the Changelog for 17084 here:
https://josm.openstreetmap.de/wiki/Changelog

[Klumbumbus]

https://josm.openstreetmap.de/wiki/Changelog is a summary which doesn't included every change. Since r17082 is probably not interesting for the majority of mappers I didn't add it there.

[taylor.smock]

Can someone (from the Netherlands) verify that this CertificateAmendment is still required? ​https://roottest-ev.pkioverheid.nl doesn't seem to exist anymore (see #22903), and the current endpoint (https://service.pdok.nl, changed from https://geodata.nationaalgeoregister.nl two years ago) uses QuoVadis Root CA 2 instead of Staat der Nederlanden EV Root CA. While I don't think they would bother having two different certificates, governments can do some funny things.

It looks like the root CA we added for this ticket ​expired in December 2022, so I think we can safely remove that amendment (see #22904).

[anonymous]

Government decided to discontinue the CA (see ​https://logius.nl/actueel/uitfasering-uitgifte-publiek-vertrouwde-webcertificaten-pkioverheid).

Goverment is migrating most (all?) remaining services from ​https://geodata.nationaalgeoregister.nl to their new platform ​https://service.pdok.nl, but both sites should be working on well known public CA's, so I think the CertificateAmendment can be safely removed.