[GeoNode-devel] SSL error on upload and saving metadata

Patrick Dufour pjdufour.dev at gmail.com
Tue May 30 15:44:41 PDT 2017


Nice!

Is the whole upload shapefile to GeoNode layer workflow end-to-end secure
and working now (setting aside http basemaps or unrelated ui issues.)?

Regards,
Patrick


On May 30, 2017 6:30 PM, "Jonathan Doig" <j.doig at unsw.edu.au> wrote:

Hi all



Following this up with the solution for posterity.



Turns out I couldn’t get a signed certificate with the actual hostname
included in the subjectAltName, as our signing authority doesn’t cover the
actual host domain. Anyway that wasn’t the problem. The problem (thanks
Vaughan!) was missing root and intermediate certificates.



The full solution was to:

   1. Add our (QuoVadis) root and intermediate certificates to
   /etc/ssl/certs/geonode-chain.crt
   2. Point to this file from  /etc/apache2/sites-available/geonode.conf by
   adding this line:

SSLCertificateChainFile /etc/ssl/certs/geonode-chain.crt

   1. Add the root certificate to /usr/local/lib/python2.7/dist-
   packages/httplib2/cacerts.txt
   2. In local_settings.py, set OGC_SERVER default LOCATION to
   https://fully.qualified.domain.name/geoserver
   <https://fully.qualified.domain.name/geoserver>



Words to this effect should probably be added to http://docs.geonode.org/en/
master/tutorials/advanced/geonode_production/ssl.html



I’ve added it to our own (tested) Ansible playbook at
https://github.com/UNSW-CFRC/geonode_install/tree/master/roles/install_ssl



Regards

Jonathan



*From:* geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org] *On
Behalf Of *Jonathan Doig
*Sent:* Wednesday, 10 May 2017 5:12 PM
*To:* Cezary Statkiewicz <cezary.statkiewicz at geo-solutions.it>;
geonode-devel at lists.osgeo.org

*Subject:* Re: [GeoNode-devel] SSL error on upload and saving metadata



Thanks for your response Cezary.



We have created an alias to our actual host. I think the problem might be
that while the python running these functions is using https, it is still
calling the actual hostname rather than the alias. It fails to verify the
certificate because the hostname doesn't match the alias. So I’ve requested
new certificates based on a config in which I’ve added the actual hostname
to subjectAltName. I’ll let you know how it goes.



Curl output shows no problem with <my-alias>:

curl -vvv https://<my-alias>/geoserver/

*   Trying <my-host-IP>...

* Connected to <my-alias> (<my-host-IP>) port 443 (#0)

* found 173 certificates in /etc/ssl/certs/ca-certificates.crt

* found 697 certificates in /etc/ssl/certs

* ALPN, offering http/1.1

* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256

*        server certificate verification OK

*        server certificate status verification SKIPPED

*        common name: <my-alias> (matched)

*        server certificate expiration date OK

*        server certificate activation date OK

*        certificate public key: RSA

*        certificate version: #3

*        subject: C=AU,ST=New South Wales,L=Kensington,O=University of New
South Wales,OU=City Futures Research Centre,CN=<my-alias>

*        start date: Mon, 08 May 2017 01:05:25 GMT

*        expire date: Fri, 08 May 2020 01:05:21 GMT

*        issuer: C=BM,O=QuoVadis Limited,CN=QuoVadis Global SSL ICA G2

*        compression: NULL

* ALPN, server accepted to use http/1.1

> GET /geoserver/ HTTP/1.1

> Host: <my-alias>

> User-Agent: curl/7.47.0

> Accept: */*

>

< HTTP/1.1 302 Found

< Date: Tue, 09 May 2017 23:48:37 GMT

< Server: Apache-Coyote/1.1

< Location: /geoserver/index.html

< Content-Length: 0

< Set-Cookie: JSESSIONID=5797370732D26CAD77DC9ABB69E89DC7;
Path=/geoserver/; HttpOnly

<

* Connection #0 to host <my-alias> left intact



But it fails on <my-actual-host>:

curl -vvv https://<my-actual-host>/geoserver/

*   Trying <my-host-ip>...

* Connected to <my-actual-host> (<my-host-ip>) port 443 (#0)

* found 173 certificates in /etc/ssl/certs/ca-certificates.crt

* found 697 certificates in /etc/ssl/certs

* ALPN, offering http/1.1

* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256

*        server certificate verification OK

*        server certificate status verification SKIPPED

* SSL: certificate subject name (<my-alias>) does not match target host
name '<my-actual-host>'

* Closing connection 0

curl: (51) SSL: certificate subject name (<my-alias>) does not match target
host name '<my-actual-host>'





-----Original Message-----
From: geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org
<geonode-devel-bounces at lists.osgeo.org>] On Behalf Of Cezary Statkiewicz
Sent: Tuesday, 9 May 2017 5:27 PM
To: geonode-devel at lists.osgeo.org
Subject: Re: [GeoNode-devel] SSL error on upload and saving metadata



On Tuesday, May 9, 2017 8:27:50 AM CEST Jonathan Doig wrote:

> Hi devs

>

> I'm putting our Geonode 2.4 behind SSL to protect the passwords over

> the net.

>

> Based on the

> doco<http://docs.geonode.org/en/master/tutorials/advanced/geonode_prod

> uctio n/ssl.html> I've written two ansible scripts,

> one<https://github.com/UNSW-CFRC/geonode_install/blob/master/install_g

> eonod e/10_generate_ssl_csr.yml> to generate the key and CSR, the

> other<https://github.com/UNSW-CFRC/geonode_install/blob/master/install

> _ssl_ cert.yml> to install the certificate supplied by our university

> IT. I included the step to add the certificate to httplib2/cacerts.txt

> for python.

>

> This works OK in general - the site itself shows as secure in Chrome.

>

> However, I get errors when uploading a layer and saving metadata:

> SSLHandshakeError at /layers/geonode:test_issue086a/metadata

> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

> (_ssl.c:590)



Could you run



curl -vvv https://your.private.geoserver/geoserver/



curl -vvv https://your.public.geoserver/geoserver/



and put outputs from those commands?



>

> Any thoughts?

>

> This is similar but not identical to the issue reported last year by

> Antoine Rolland (below).

>

> Regards

> Jonathan

>

>

>

> Jun 06, 2016; 11:20pm [Antoine ROLLAND]

> <http://osgeo-org.1560.x6.nabble.com/template/NamlServlet.jtp?macro=us

> er_no

> des&user=379386>  Antoine

> ROLLAND<http://osgeo-org.1560.x6.nabble.com/template/NamlServlet.jtp?m

> acro= user_nodes&user=379386> SSL HandshakeError Hello everyone,

>

> I'm using Geonode 2.4 stable version, and it's now running under SSL.

> After this change, part of the website is still working well, but I

> meet errors while editing metada (when I save), and also when I try to

> upload a new layer. This is the error I meet :

>

> SSLHandshakeError at /layers/geonode:communes/metadata [Errno 1]

> _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown

> protocol Request Method: POST Request URL:

> https://aware.cirad.fr/layers/geonode:communes/metadata

> Django Version: 1.6.11

> Exception Type: SSLHandshakeError

> Exception Value:

> [Errno 1] _ssl.c:510: error:140770FC:SSL

> routines:SSL23_GET_SERVER_HELLO:unknown protocol Exception Location:

> /usr/lib/python2.7/dist-packages/httplib2/__init__.py in connect, line

> 1043 Python Executable: /usr/bin/python Python Version: 2.7.6 Python

> Path:

> ['/usr/lib/python2.7',

>  '/usr/lib/python2.7/plat-x86_64-linux-gnu',

>  '/usr/lib/python2.7/lib-tk',

>  '/usr/lib/python2.7/lib-old',

>  '/usr/lib/python2.7/lib-dynload',

>  '/usr/local/lib/python2.7/dist-packages',

>  '/usr/lib/python2.7/dist-packages',

>  '/usr/lib/python2.7/dist-packages/PILcompat',

>  '/usr/lib/pymodules/python2.7',

>  '/var/www']

> Server time: lun, 6 Jui 2016 09:09:43 -0400

>

>

> Also, it seems that the url of the website generated is wrong : a "/"

> is missing between "websitename" and "uploaded/thumbs" (for instance).

> I suppose it is a consequence of the error i meet.

>

> Any help would be really appreciated

>

> Thanks

>

> Antoine Rolland

> _______________________________________________

> geonode-devel mailing list

> [hidden

> email]<http://osgeo-org.1560.x6.nabble.com/user/SendEmail.jtp?type=nod

> e&nod e=5270129&i=0>

> http://lists.osgeo.org/mailman/listinfo/geonode-devel





--

Cezary Statkiewicz

mailto: cezio at thelirium.net

xmpp: cezio at jabber.org

pgp: https://thelirium.net/cezio@thelirium.net.pub.key



_______________________________________________

geonode-devel mailing list

geonode-devel at lists.osgeo.org

https://lists.osgeo.org/mailman/listinfo/geonode-devel

_______________________________________________
geonode-devel mailing list
geonode-devel at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/geonode-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170530/3a8ce0ee/attachment-0001.html>


More information about the geonode-devel mailing list