Modify

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#24428 closed defect (worksforme)

Baden-Württemberg DOP20 aerial images do not load, unable to find valid certification path to requested target

Reported by: anonymous Owned by: team
Priority: normal Milestone:
Component: Core Version: latest
Keywords: template_report Cc:

Description

The Baden-Württemberg DOP20 aerial images do not load in JOSM due to a certificate error, but they work fine in the browser.

WARNUNG: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Ursache: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Ursache: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:482)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141)
        at org.openstreetmap.josm.tools.Http1Client.performConnection(Http1Client.java:78)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:162)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:136)
        at org.openstreetmap.josm.tools.HttpClient.connect(HttpClient.java:125)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObjectHttp(JCSCachedTileLoaderJob.java:362)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.loadObject(JCSCachedTileLoaderJob.java:309)
        at org.openstreetmap.josm.data.cache.JCSCachedTileLoaderJob.run(JCSCachedTileLoaderJob.java:233)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1095)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:619)
        at java.base/java.lang.Thread.run(Thread.java:1447)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
        at java.base/sun.security.validator.Validator.validate(Validator.java:256)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1319)
        ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:295)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 29 more

Revision:19433
Identification: JOSM/1.5 (19433 de) Linux Ubuntu 25.04
Java version: 24.0.2+12-Ubuntu-0ubuntu125.04.1, Ubuntu, OpenJDK 64-Bit Server VM

Attachments (0)

Change History (5)

comment:1 by anonymous, 3 months ago 

INFORMATION: GET https://owsproxy.lgl-bw.de/owsproxy/ows/WMS_LGL-BW_ATKIS_DOP_20_C?FORMAT=image/png&TRANSPARENT=TRUE&VERSION=1.3.0&SERVICE=WMS&REQUEST=GetMap&LAYERS=IMAGES_DOP_20_RGB&STYLES=&CRS=EPSG:3857&WIDTH=512&HEIGHT=512&BBOX=874133.8554693,6105789.8194199,874439.6035824,6106095.5675330 -> !!! (75 ms)

comment:2 by stoecker, 3 months ago

Resolution: worksforme
Status: newclosed

Loads fine here on another Linux. As you're using Linux and on Linux Java uses systemwide installed Certificates I suggest to review your installed certificates or install the missing Sectigo certs.

comment:3 by anonymous, 3 months ago

By default, Java on Linux uses its own separate truststore located here at /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts rather than the system-wide truststore. The system-wide truststore on Ubuntu 25.04 contains the necessary Sectigo R46 certificate at /etc/ssl/certs/Sectigo_Public_Server_Authentication_Root_R46.pem, which is also successfully verified by curl https://owsproxy.lgl-bw.de. However, running

keytool -list -v -keystore /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts -storepass changeit | grep -i sectigo

shows that this certificate is missing from the Java truststore. After manually importing the certificate into the Java truststore using

keytool -importcert -trustcacerts -alias sectigo-root-r46 -file /etc/ssl/certs/Sectigo_Public_Server_Authentication_Root_R46.pem -keystore /usr/lib/jvm/java-24-openjdk-amd64/lib/security/cacerts -storepass changeit

JOSM can once again display the Baden-Württemberg DOP20 aerial images. The certificate for owsproxy.lgl-bw.de was likely renewed in early August.

comment:4 by stoecker, 3 months ago

Ah, so that differs between distributions. On openSUSE it is using system and usually certificate issues only affected Windows in bug reports.

comment:5 by anonymous, 3 months ago

FYI: The missing certificates have been added in several OpenJDK versions:
https://bugs.openjdk.org/browse/JDK-8359170

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.