<div dir="ltr">Hello Nils, <div><br></div><div>Regarding adding the python cacerts in python, I have also added the intermediate certificate. Something like:</div><div><br></div><div><b style="font-weight:normal" id="gmail-docs-internal-guid-b712add7-4522-f90e-e2a5-87c73a09ddbd"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">/etc/pki/ca-trust/source/anchors/staging-geonode-wfp-org-intermediate.crt >> /home/sdi/lib/python2.7/site-packages/httplib2/cacerts.txt</span></b><br></div><div><br></div><div>Regarding adding the certs in the JVM keystore I did something similar to what you did:</div><div><b style="font-weight:normal" id="gmail-docs-internal-guid-e1cd4096-4525-ca59-5798-c2fb8dc9f561"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">/path/to/keytool -import -trustcacerts -alias tomcat -file /etc/pki/ca-trust/source/anchors/staging-geonode-wfp-org.crt -keystore /home/sdi/.keystore3 -deststoretype pkcs12</span></b> </div><div><br></div><div>Regarding adding the certs in OS level (Centos), I just had to:</div><div> 1. <b style="font-weight:normal" id="gmail-docs-internal-guid-dfb7f71e-4527-1420-394a-38fff5b3151d"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">cp /location/of/ssl/certs/ /etc/pki/ca-trust/source/anchors</span></b></div><div><b style="font-weight:normal"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> 2. <b style="font-weight:normal" id="gmail-docs-internal-guid-2f409dec-4527-3392-a7e4-5d85d28b6b00"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">update-ca-trust</span></b></span></b></div><div><b style="font-weight:normal"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><b style="font-weight:normal"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></b></span></b></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">There I have also added the intermediate certificate.</span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">I would also make sure that tomcat is started with the right user.</span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">Cheers</span></font></div><div><font color="#000000" face="Arial"><span style="font-size:14.6667px;white-space:pre-wrap">Dimitris</span></font></div><div><b style="font-weight:normal"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><b style="font-weight:normal"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></b></span></b></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 27, 2018 at 12:01 PM, Nils Noelke <span dir="ltr"><<a href="mailto:nilsnoelke@googlemail.com" target="_blank">nilsnoelke@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Dimitris,<div>nice to hear that someone else went already through the process.... I also add SSL to the keystore of java and python httplib2 using </div><div>
<pre style="box-sizing:border-box;font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;white-space:pre-wrap;margin:0px;padding:12px;display:block;overflow:auto;line-height:normal;color:rgb(64,64,64);text-decoration-style:initial;text-decoration-color:initial"><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">sudo</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">-</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">s</span> <span class="m_2475942420241089877gmail-s2" style="box-sizing:border-box;color:rgb(64,112,160)">"cat server.crt >> /usr/lib/python2.7/dist-<wbr>packages/httplib2/cacerts.txt"</span>
<span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">sudo</span> <span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">keytool</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">-</span><span class="m_2475942420241089877gmail-kn" style="box-sizing:border-box;color:rgb(0,112,32);font-weight:bold">import</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">-</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">alias</span> <span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">geonodessl</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">-</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">keystore</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">/</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">etc</span><span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">/</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">ssl</span><span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">/</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">certs</span><span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">/</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">java</span><span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">/</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">cacerts</span> <span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">-</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">file</span> <span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">server</span><span class="m_2475942420241089877gmail-o" style="box-sizing:border-box;color:rgb(102,102,102)">.</span><span class="m_2475942420241089877gmail-n" style="box-sizing:border-box">crt</span></pre>
</div><div><br></div><div>For the certificate on Os level I followed: <a href="https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate/94861" target="_blank">https://askubuntu.com/<wbr>questions/73287/how-do-i-<wbr>install-a-root-certificate/<wbr>94861</a></div><div><br></div><div>Did you changed more than which was written in the tutorial? Maybe it has to do with proxy settings you have to enter... i don't know really and i have no more idea at moment.</div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 26, 2018 at 9:11 AM Dimitris Karakostis <<a href="mailto:karakostis.dimitris@gmail.com" target="_blank">karakostis.dimitris@gmail.com</a><wbr>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Nils, <div><br></div><div>I've been through the same process a couple of weeks ago and I also faced the same issue (we have GeoNode 2.4). Eventually Francesco Bartoli recommended to add the SSL certificates apart from the webserver (in my case nginx) also in the keystores of java and the python http module. I have also added the certs in the OS level. After that the authentication between GeoNode and Geoserver started working again.</div><div><br></div><div>Let me know if this works for you.</div><div><br></div><div>Dimitris</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 25, 2018 at 1:24 PM, Nils Noelke <span dir="ltr"><<a href="mailto:nilsnoelke@googlemail.com" target="_blank">nilsnoelke@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div>I recently switched to SSL following the instructions from here: <a href="http://docs.geonode.org/en/master/tutorials/advanced/geonode_production/ssl.html" target="_blank">http://docs.geonode.org/<wbr>en/master/tutorials/advanced/<wbr>geonode_production/ssl.html</a></div><div><br></div><div>Everything went fine, so I can reach Geonode now by SSL as well as the Geoserver, but wat is not working anymore is the authentication between Geonode and Geoserver.</div><div>If I open the GeoServer from Geonode as the admin than I'am not logged in and no layer is displayed</div><div><br></div><div>It seems that the geonodeauth module is able to work with SSL without changing some settings.</div><div><br></div><div>Does anybody if there are other settings to modify?</div><span class="m_2475942420241089877m_-53425503412874004HOEnZb"><font color="#888888"><div><br></div><div>Nils</div></font></span></div>
<br>______________________________<wbr>_________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" rel="noreferrer" target="_blank">https://lists.osgeo.org/<wbr>mailman/listinfo/geonode-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div></div></div>