ATOM feed in HTTPS (javax.net.ssl.SSLHandshakeException)

[MarieLambois]

We have trouble testing our feed in HTTPS. When we test the following feed: https://www.geoportail-urbanisme.gouv.fr/atom/download-feed/

It gives the following error:

However the certificate seems valid.

It works in HTTP.

[cportele]

Yes, the certificate seems to be valid: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.geoportail-urbanisme.gouv.fr/

In the INSPIRE validator I get the error, too. The test run, however, starts fine in an internal deployment that we use for testing. So maybe this has to do with some security setting in the Java VM? Or a firewall?

@michellutz @jonherrmann - any idea how we could diagnose this?

[jonherrmann]

@cportele @michellutz

Note that the certificate expires in 14 days and only supports TLS 1.0 . Is the Server on which the INSPIRE validator runs, configured (Java Trust Manager, etc.) to reject TLS 1.0 certificates?

[cportele]

The validator Java VM also rejects certificates that are valid for 153 days and that support TLS 1.1/1.2.

See http://inspire-sandbox.jrc.ec.europa.eu/etf-webapp//v2/TestRuns/EID5268cac8-1e1c-4f72-b939-32c86edeac53.html?lang=en#EIDda1ba87c-56b9-465b-ad75-79326dfa08ac and https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fdata.gov.sk%2F

[michellutz]

From @robsgnao :

Ciao, just checked, date and time on the server are ok; no specific configuration has been specified for the Java trust manager (default options). Do we have the same issue with the server on cloud (at interactive instruments)?

Cheers, Roberto

[cportele]

No, we do not see the same issue in our deployment.

Could it be a firewall issue, i.e. no outgoing https connections from the sandbox?

cc: @robsgnao

[jonherrmann]

@robsgnao Another note: yesterday, just after the INSPIRE validator has been restarted, we tested a Test Object with a HTTPS URL and it worked. Today the same Test Object does not work.

[klimeto]

Dear devs,

Is there any update on this issue? I have this service to be tested:

https://zbgisws.skgeodesy.sk/inspire_administrative_units_wfs/service.svc/get?request=GetCapabilities&service=WFS

The validator answers still with the SSLHandshakeexception:

Test Run initialization failure The URL is invalid: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thanks for help, Tomas

[michellutz]

@robsgnao Could you please have a look at this and check whether this is an issue with our deployment (e.g. the JRC firewall...)?

Cheers, m

[jonherrmann]

@Robsgnao @michellutz we do not see this issue in our deployments. There may be additional information in the log file of the web application server.

@klimeto this would be the error message for your WFS 1.1 service: The Test Objekt Type 'OGC Web Feature Service 1.1' is not one of the expected types that can be tested in this test run.

[klimeto]

@jonherrmann yes its true. This is the version 2.0 https://test-zbgisws.skgeodesy.sk/inspire_administrative_units_wfs/service.svc/get?service=wfs&request=getcapabilities

However the JRC instance of the validator still returns the handshake error.

[robsgnao]

As for issue #89, the root certification authority DHIMYOTIS (Certigna Services CA) was not among the trusted CAs in the Oracle JDK; same solution deployed, seems to be working fine now.

[robsgnao]

The SSL-related issue is not present while using OpenJDK instead of Oracle JDK. Validator hosted at JRC has been switched to OpenJDK yesterday.