Error loading wms layer

[kiri03]

Describe the issue

I have a project in QGIS where everything is displayed correctly, including several WMS layers, but when I send that project to QField there is a specific layer that is not displayed and an error related to the SSL certificate appears:

Map request failed [error: SSL handshake failed: The issuer certificate of a locally looked up certificate could not be found url: https://ovc.catastro.meh.es/Cartografia/WMS/ServidorWMS.aspx?

I have deleted all the layers leaving only the layer with the WMS layer and still nothing is displayed in QField, the same error appears. I attach the QGZ file with the WMS layer to be able to reproduce the error in QField and see if someone can provide me with a solution.)

Catastro_Spain.zip

Desktop (please complete the following information)

• OS: Windows 11 23H2
• QGIS Version 3.38.1
• QFieldSync Version 4.9.1

Mobile (please complete the following information)

• Device: Realme GT
• OS: Android 13
• QField version: 3.3.7 - Darién

[nirvn]

@kiri03 , when I load this locally in QGIS, I get the following dialog:

These custom certificates aren't supported by QField (yet).

[nirvn]

Loading the URL on a browser also reveals a problematic certificate:

[kiri03]

I don't understand it. When I open that project in QGIS it opens perfectly without any error message. And in the mentioned link I also open it perfectly.

[nirvn]

@kiri03 , have you tried a/ opening the URL (https://ovc.catastro.meh.es/Cartografia/WMS/ServidorWMS.aspx) in your browser, and b/ opening the project in a new QGIS profile? It's possible you accepted the custom certificate a long time ago.

[kiri03]

I tried putting that link on a new computer and no error appears. This is what appears:

[nirvn]

@kiri03 , are you typing in the https URL?

[kiri03]

This link: https://ovc.catastro.meh.es/Cartografia/WMS/ServidorWMS.aspx

[nirvn]

@kiri03 , OK, I see it works with Chrome but not with Firefox. Curious.

[nirvn]

We're using the Mozilla CA certificate store in QField, and it seems they have removed Firmaprofesional as a trusted certifier.

Running the website against an online SSL checker does reveal the certificate is not universally accepted:

[kiri03]

The original problem is that the Spanish cadastre WMS layers all work in QGIS, however they do not load in QField. Could someone from the QField development team fix this problem?

[nirvn]

@kiri03 , you said it works with a VPN? Can we close this?

[kiri03]

No, I'm not using VPN. Te project open perfectly in QGIS but not in QField.

[nirvn]

@kiri03 , ok. What version of QGIS are you using?

[kiri03]

QGIS 3.38.1 all the information is indicated at the beginning of this thread

[kiri03]

QField 3.3.8

[kiri03]

I hope this issue will be fixed in a future version of QField.

[kiri03]

QField 3.3.9 released and the problem with this WMS layer persist.

[m-kuhn]

Looks like mozilla has accepted Firmaprofesional 2 months ago https://bugzilla.mozilla.org/show_bug.cgi?id=1785215

[nirvn]

@m-kuhn , good catch. We'll have to wait until curl's CA certificates extract to catch up then (see https://curl.se/docs/caextract.html).

I will say though that I'm on Firefox nightly, and that WMS server is still giving me a SEC_ERROR_UNKNOWN_ISSUER error code.

[m-kuhn]

Interesting as it says

Successfully tested in Nightly 128.0a1 (2024-06-09) (64-bit)

[m-kuhn]

@kiri03 ideally you can reach out to the WMS provider and inform them that their SSL certificate is not accepted by mozilla / on firefox.

The only thing which could potentially be done on QField side is to add an SSL exception management.

[m-kuhn]

For reference, this is the test page for firmaprofesional and it is working: https://testsslev2022ec.firmaprofesional.com/ so it has been added, but did not fix the issue here.

The cert has been signed by a different CA (visible in the security details of both pages). This is definitely best solved through catastro.meh.es directly.

[kiri03]

I don't quite understand the proposed solution. Does that mean that the problem cannot be solved from within Qfield's own development by modifying the program?

[m-kuhn]

This means that this problem is best solved on server side and therefore best if you could make the Spanish authorities aware of that. The fact that it's not working in Firefox -- which is a major, state of the art web browser -- should be good enough for their technical staff to assess the source of the problem.

The problem could also be circumvented from within QField but it requires a non trivial amount of work.

[kiri03]

Thank you very much for the reply. Now everything is clear.

[kiri03]

I just installed Mozilla Firefox and tried the address: https://ovc.catastro.meh.es/Cartografia/WMS/ServidorWMS.aspx?

I don't get any SSL certificate error and the page opens normally, just like in Chrome or Edge:

[m-kuhn]

It also works for me on linux, but not on macos with firefox nightly. I guess on linux it uses a different set of CA.

[nirvn]

@m-kuhn , to add to the mystery: it does not work for me on linux (using Firefox nightly) on Ubuntu 24.04.

[kiri03]

This means that this problem is best solved on server side and therefore best if you could make the Spanish authorities aware of that. The fact that it's not working in Firefox -- which is a major, state of the art web browser -- should be good enough for their technical staff to assess the source of the problem.

The problem could also be circumvented from within QField but it requires a non trivial amount of work.

I contacted the cadastre registry service in Spain (https://www.sedecatastro.gob.es/) and the answer I got was that TLS 1.0 and 1.1 have recently been disabled. I don't know exactly what this means and if there is a simple solution. Thanks

[m-kuhn]

Interesting, I just checked with Firefox 130.0.1

• https://ovc.catastro.meh.es/Cartografia/WMS/ServidorWMS.aspx? : Does show a warning Firefox detected a potential security threat and did not continue to ovc.catastro.meh.es. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
• https://tls.support/ : shows Your browser is using TLS 1.3. This is the latest version of TLS, which has no known issues.