[Geoserver-users] GeoFence https certificates

Mon, 08 May 2017 10:36:27 -0700 

Hi,
we're testing the adoption of standalone GeoFence (3.3.0) in order to manage security of our GeoServers. Problem is that when I try to register our GeoServer instance, an error is thrown when "Test" button is pressed. Setting logs to debug, I can see the attached error. Our GeoServer (v 2.10) is hosted on a tomcat7 behind an nginx proxy, and https->https redirection is in place. The certificate is a let'sencrypt one. 

GeoFence runs on a tomcat7, java version "1.8.0_121".


I tested the same code (copied getURL from 
https://github.com/geoserver/geofence/blob/v3.3.0/src/gui/core/plugin/userui/src/main/java/org/geoserver/geofence/gui/server/service/impl/InstancesManagerServiceImpl.java 
) in another webapp I created and deployed on the same tomcat7 of 
GeoFence, and the output seems correctly retrieved. These are the 
parameters :



URL 
https://geoserver1-spatial-dev.d4science.org/geoserver/rest/geofence/info

USER admin
PWD geoserver


Since the jre seems to recognize the certificate (my test successfully 
connects a retrieve content), my guess is that some other configuration 
might be needed.


Thanks a lot for your help,
Fabio Sinibaldi


--
--- --- --- ---
Fabio Sinibaldi
CNR Istituto di Scienza e Tecnologie dell' Informazione A. Faedo
Area della Ricerca CNR
InfraScience Group http://nemis.isti.cnr.it/groups/infrascience
Via G. Moruzzi, 1 – 56124 Pisa, Italy

Skype fabioisti
https://it.linkedin.com/in/fabio-sinibaldi-18779a18
--- --- --- ---



17:28:35,588 DEBUG DefaultHttpParams:151 - Set parameter 
http.authentication.preemptive = true
17:28:35,588 DEBUG DefaultHttpParams:151 - Set parameter 
http.connection.timeout = 5000
17:28:35,589 DEBUG HttpMethodDirector:161 - Preemptively sending default basic 
credentials
17:28:35,589 DEBUG HttpMethodDirector:278 - Authenticating with BASIC <any 
realm>@geoserver1-spatial-dev.d4science.org:443
17:28:35,589 DEBUG HttpMethodParams:384 - Credential charset not configured, 
using HTTP element charset
17:28:35,589 DEBUG HttpConnection:692 - Open connection to 
geoserver1-spatial-dev.d4science.org:443
17:28:35,591 DEBUG header:70 - >> "GET /geoserver/rest/geofence/info 
HTTP/1.1[\r][\n]"
17:28:35,591 DEBUG HttpMethodBase:1352 - Adding Host request header
17:28:35,592 DEBUG header:70 - >> "Authorization: Basic 
YWRtaW46Z2Vvc2VydmVy[\r][\n]"
17:28:35,592 DEBUG header:70 - >> "User-Agent: Jakarta 
Commons-HttpClient/3.1[\r][\n]"
17:28:35,592 DEBUG header:70 - >> "Host: 
geoserver1-spatial-dev.d4science.org[\r][\n]"
17:28:35,592 DEBUG header:70 - >> "[\r][\n]"
17:28:35,595 DEBUG HttpMethodDirector:404 - Closing the connection.
17:28:35,595 DEBUG HttpConnection:1228 - Exception caught when closing output
javax.net.ssl.SSLException: Connection has been shutdown: 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1541)
        at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1553)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at java.io.FilterOutputStream.close(FilterOutputStream.java:158)
        at 
org.apache.commons.httpclient.HttpConnection.closeSocketAndStreams(HttpConnection.java:1226)
        at 
org.apache.commons.httpclient.HttpConnection.close(HttpConnection.java:1149)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:405)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at 
org.geoserver.geofence.gui.server.service.impl.InstancesManagerServiceImpl.getURL(InstancesManagerServiceImpl.java:194)
        at 
org.geoserver.geofence.gui.server.service.impl.InstancesManagerServiceImpl.testConnection(InstancesManagerServiceImpl.java:165)
        at 
org.geoserver.geofence.gui.server.gwt.InstancesManagerRemoteServiceImpl.testConnection(InstancesManagerRemoteServiceImpl.java:86)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569)
        at 
com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
        at 
com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
        at 
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at 
org.geoserver.geofence.gui.AuthenticationFilter.doFilter(AuthenticationFilter.java:95)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at 
org.gcube.smartgears.managers.RequestManager.doFilter(RequestManager.java:95)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at 
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at 
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        ... 39 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
        at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 58 more
17:28:35,597 DEBUG HttpMethodDirector:434 - Method retry handler returned 
false. Automatic recovery will not be attempted
17:28:35,597 DEBUG HttpConnection:1178 - Releasing connection back to 
connection manager.
17:28:35,597 DEBUG HttpConnection:1178 - Releasing connection back to 
connection manager.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users






















					Reply via email to