id summary reporter owner description type status priority milestone component version resolution keywords cc 19872 Cannot access HTTPS Dutch WMTS servers anymore after switching to different root CA SanderH Don-vip "==== What steps will reproduce the problem? 1. Try to show WMTS imagery from https://geodata.nationaalgeoregister.nl/luchtfoto/rgb/wmts?request=GetCapabilities ==== What is the expected result? Imagery is shown ==== What happens instead? Imagery is not shown, but instead an SSL error: {{{ 2020-10-01 19:07:05.311 WARNING: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.TransportContext.fatal(Unknown Source) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at sun.security.ssl.TransportContext.dispatch(Unknown Source) at sun.security.ssl.SSLTransport.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at org.openstreetmap.josm.tools.Http1Client.performConnection(Http1Client.java:78) at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:148) at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:124) at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObject(JCSCachedTileLoaderJob.java:315) at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.run(JCSCachedTileLoaderJob.java:226) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 23 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 29 more }}} ==== Please provide any additional information below. Attach a screenshot if possible. A few years ago we had the same error: https://josm.openstreetmap.de/ticket/14649 This was fixed by implementing https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java Since yesterday, the imagery provider has implemented a new certificate pointing to a new root CA ""https://cert.pkioverheid.nl"", more specifically this one: ""Staat der Nederlanden EV Root CA"" http://cert.pkioverheid.nl/EVRootCA.cer Full explanation of the global government replacement plan (in Dutch): https://www.logius.nl/actueel/blog-pkioverheid-certificaat-vervangingsplan Summary: Organisations must use the new certificates before 2020-10-01, and eventually the current G3 root will be revoked on 2021-01-31. Please update the CertificateAmendment class to allow us to view aerial imagery for the Netherlands with this new CA. {{{ URL:https://josm.openstreetmap.de/svn/trunk Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b Last:Changed Date: 2020-09-25 17:47:53 +0200 (Fri, 25 Sep 2020) Build-Date:2020-09-26 01:30:51 Revision:17061 Relative:URL: ^/trunk Identification: JOSM/1.5 (17061 nl) Windows 10 64-Bit OS Build number: Windows 10 Pro 2004 (19041) Memory Usage: 1581 MB / 3556 MB (320 MB allocated, but free) Java version: 1.8.0_261-b12, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM Look and Feel: com.sun.java.swing.plaf.windows.WindowsLookAndFeel Screen: \Display0 1920x1200 (scaling 1.0x1.0), \Display1 1920x1200 (scaling 1.0x1.0) Maximum Screen Size: 1920x1200 Best cursor sizes: 16x16 -> 32x32, 32x32 -> 32x32 VM arguments: [-Dsun.java2d.opengl=True] Dataset consistency test: No problems found Plugins: + DirectDownload (35552) + FixAddresses (35343) + Mapillary (1.5.25) + OpeningHoursEditor (35414) + PicLayer (35405) + apache-commons (35524) + apache-http (35092) + ejml (35313) + geotools (35169) + geotools-wfs (22.0.1) + graphview (35405) + jaxb (35092) + jna (35092) + jts (35122) + measurement (35405) + nl-pdok-report (0.4) + nl_bag (0.6) + ods-bag (0.6.19) + opendata (35513) + opendataservices (0.6.19) + photo_geotagging (35499) + photoadjust (35405) + poly (35248) + reverter (35556) + scripting (30798) + turnlanes (35405) + undelete (35521) + utilsplugin2 (35487) + waydownloader (35405) Tagging presets: + %UserProfile%\Tools\JOSM\Presets_Monuments.zip Map paint styles: - https://josm.openstreetmap.de/josmfile?page=Styles/AddressValidator&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/Lane_and_Road_Attributes&zip=1 - %UserProfile%\Tools\JOSM\NL_traffic_signs\Styles_Traffic_signs-style.mapcss - http://duinoord.home.xs4all.nl/OSM/JOSM/NL_traffic_signs/Styles_Traffic_signs-style.mapcss - \plugins\Ods-bag-style.mapcss - \plugins\Ods-bag-style-0.6.8.mapcss - http://mijndev.openstreetmap.nl/~allroads/JOSM/Styles/Road_Extended_JOSM_style.zip - https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/Noname&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/NumberedCycleNodeNetworks&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/NumberedWalkingNodeNetworks&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features&style&zip=1 - https://josm.openstreetmap.de/josmfile?page=Styles/Lane_features_ryg&style&zip=1 - %UserProfile%\Tools\JOSM\FI_traffic_signs\fisigns-all.mapcss Validator rules: + \validator\address_outside_building.mapcss + \validator\start_date_is_null.mapcss Last errors/warnings: - 374006,514 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,548 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,553 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,553 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,577 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,614 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,615 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,616 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,667 W: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Oorzaak: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - 374006,667 W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target }}} " enhancement closed normal 20.09 Core imagery fixed template_report netherlands certificate