Closed dstenger closed 6 years ago
We will improve the description/specification of this issue soon.
Tasks:
Validation with following service already works (it is a reference implementation): https://services.interactive-instruments.de/ogc-reference/simple/wfs?request=getcapabilities&service=wfsservices.interactive-instruments.de/ogc-reference/simple/wfs?request=getcapabilities&service=wfs
The ets-wfs20 is TestNG based.
Also, a CTL based test suite can validate an HTTPS secured service successfully (reference implementation): https://cite.deegree.org/deegree-webservices-3.4-RC3/services/wms130?service=WMS&request=GetCapabilities
The ets-wms13 is CTL based.
New tasks:
[1] https://github.com/opengeospatial/cite/wiki/Reference-Implementations
Following are the behaviour of the Reference-Implementations:
All test services were taken from: https://github.com/opengeospatial/cite/wiki/Unofficial-OGC-Reference-Implementations
Test environment
SOS 2.0
WMS 1.1.1
General
I have tested on the Ubuntu Linux machine.
Once again I will check WMS 1.1.1 whether it is reproducing or not.
@dstenger
I have tested on the Windows 8.1 environment stilI getting the same error.
Test: WMS 1.1.1
[Service-URL] https://cite.deegree.org/deegree-webservices-3.4-RC3/services/wms111?service=WMS&request=GetCapabilities
Test Name : wms:wms_main type Mandatory
net.sf.saxon.s9api.SaxonApiException: Error in call to extension function {public org.w3c.dom.NodeList com.occamlab.te.TECore.request(org.w3c.dom.Document,java.lang.String) throws java.lang.Throwable}: Exception in extension function javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:192)
at com.occamlab.te.TECore.executeTemplate(TECore.java:607)
at com.occamlab.te.TECore.executeTest(TECore.java:818)
at com.occamlab.te.TECore.execute_test(TECore.java:426)
at com.occamlab.te.TECore.execute_suite(TECore.java:474)
at com.occamlab.te.TECore.execute(TECore.java:303)
at com.occamlab.te.TECore.run(TECore.java:2406)
at java.lang.Thread.run(Thread.java:745)
Caused by: net.sf.saxon.trans.XPathException: Error in call to extension function {public org.w3c.dom.NodeList com.occamlab.te.TECore.request(org.w3c.dom.Document,java.lang.String) throws java.lang.Throwable}: Exception in extension function javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at net.sf.saxon.functions.ExtensionFunctionCall.iterate(ExtensionFunctionCall.java:151)
at net.sf.saxon.expr.PathExpression.iterate(PathExpression.java:848)
at net.sf.saxon.sort.DocumentSorter.iterate(DocumentSorter.java:84)
at net.sf.saxon.instruct.CopyOf.processLeavingTail(CopyOf.java:292)
at net.sf.saxon.instruct.Instruction.process(Instruction.java:94)
at net.sf.saxon.instruct.DocumentInstr.evaluateItem(DocumentInstr.java:282)
at net.sf.saxon.expr.ExpressionTool.evaluate(ExpressionTool.java:295)
at net.sf.saxon.expr.LetExpression.eval(LetExpression.java:341)
at net.sf.saxon.expr.LetExpression.process(LetExpression.java:372)
at net.sf.saxon.instruct.ForEach.processLeavingTail(ForEach.java:300)
at net.sf.saxon.expr.LetExpression.processLeavingTail(LetExpression.java:551)
at net.sf.saxon.instruct.Template.applyLeavingTail(Template.java:175)
at net.sf.saxon.instruct.ApplyTemplates.applyTemplates(ApplyTemplates.java:343)
at net.sf.saxon.Controller.transformDocument(Controller.java:1736)
at net.sf.saxon.Controller.transform(Controller.java:1560)
at net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:190)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at com.occamlab.te.TECore.parse(TECore.java:2089)
at com.occamlab.te.TECore.parse(TECore.java:2066)
at com.occamlab.te.TECore.request(TECore.java:1658)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at net.sf.saxon.functions.ExtensionFunctionCall.invokeMethod(ExtensionFunctionCall.java:533)
at net.sf.saxon.functions.ExtensionFunctionCall.call(ExtensionFunctionCall.java:256)
at net.sf.saxon.functions.ExtensionFunctionCall.iterate(ExtensionFunctionCall.java:147)
... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 42 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 48 more
@keshav-nangare Can you please document the used Java version?
Details:
JAVA [Windows 8.1]:
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
Tomcat 7
I've tested WMS 1.1.1 (https://cite.deegree.org/deegree-webservices-3.4-RC3/services/wms111?service=WMS&request=GetCapabilities) with local docker environment (ETS WMS 1.1 v1.16 and TEAM Engine 5.1) as well as with production. Tests are successful.
@keshav-nangare Can you try again with production?
@keshav-nangare What implementation of Java are you using? It seems that the trustStore of your Java installation is broken. Can you try to setup a newly installed Java?
@lgoltz
The test wms1.1 is working fine with the production.
@dstenger
OS: Windows 8.1 I'm using Oracle JAVA:
java version "1.8.0_162"
Java(TM) SE Runtime Environment (build 1.8.0_162-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)
After updating to above latest version, still getting this error on my local machine.
@keshav-nangare
Regarding your local system:
In following file you can find all trusted certificates of you Java installation: $JAVA_HOME/jre/lib/security/cacerts
On Linux following command can be executed to view all entries (please check for the corresponding command on Windows): keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
How many entries a present in the trustStore of your local Java installation?
Regarding table of comment https://github.com/opengeospatial/teamengine/issues/255#issuecomment-344920430: Can you please repeat all tests on production and just document errors occurring there? Please use a table for documentation again.
@dstenger
I checked the trusted certificates as you suggested and following are the entries:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 104 entries
Sure, I will repeat all tests on production.
The failure described in https://github.com/opengeospatial/teamengine/issues/255#issuecomment-350680643 is also reported in #312
Following are the behaviour of the Reference-Implementations on Production environment:
SOS 2.0 | 52North | 52North No SSL error can be detected. As the DCP URLs use HTTP protocol, test are not executed against HTTPS URLs. -> No need for further investigation.
EO-WCS 1.0 | EOX IT Services GmbH | EOxServer Described error cannot be reproduced. Please specify the error report. No SSL related error can be detected. However, there are many test failures.
WFS 2.0.0 | Avitech GmbH | Avitech SWIM (AxL) 4.0 - WFS No SSL related error can be detected. Instead, following error is occurring:
I cannot detect any SSL related error in any test suite. I propose to create issues for observations if needed and to close this issue afterwards as there are no problems with SSL secured resources in general.
@keshav-nangare Can you please take a look at my results?
@dstenger
WFS 2.0.0 : https://wfst.axl.aero/AxlRest/wfs?service=WFS&version=2.0.0&request=GetCapabilities
We get the two error with wfs20 i.e 1] same as mentioned in the last comment and 2] Certificate error
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This issue occurred while testing on production, we can see this error in user session/error_log/ directory. Attached the log log.txt
@keshav-nangare Thank you for the input.
Indeed, this failure is related to SSL. I created a new issue for that: https://github.com/opengeospatial/ets-wfs20/issues/99
So, in conclusion, this is the only SSL related error which will be dealt with in the newly created issue. Thus, this issue can be closed.
Already reported for WMS 1.3 test suite: https://github.com/opengeospatial/ets-wms13/issues/27