<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:765730516;
mso-list-type:hybrid;
mso-list-template-ids:-1595907822 67698693 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Jukka, but we are using IIS 7.5 server and MapServer runs through FastCGI.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span style="color:#1F497D">Robertas</span></b><span style="font-size:10.0pt;color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Rahkonen Jukka (Tike) [mailto:jukka.rahkonen@mmmtike.fi]
<br>
<b>Sent:</b> Thursday, February 06, 2014 10:13 AM<br>
<b>To:</b> Robertas Kerpys; 'mapserver-users@lists.osgeo.org'<br>
<b>Subject:</b> Re: [mapserver-users] Make MapServer trust self-signed certificate on Windows<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="FI" style="color:#1F497D">Hi,</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FI" style="color:#1F497D"> </span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I seem to have this setting done in Apache’s httpd.conf file as</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">SetEnv CURL_CA_BUNDLE "d:/Program Files/ms4w/Apache/conf/ca-bundle/cacert.pem"</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Check if that works better, or if there happens to be a line already overriding your system wide setting.</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-Jukka Rahkonen-</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FI"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><span lang="FI" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Robertas.Kerpys@bentley.com"><span lang="EN-US">Robertas.Kerpys@bentley.com</span></a>
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">wrote:</span><span lang="FI"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing">Hi Folks,<span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing"><span class="apple-converted-space"><span style="color:black">I </span></span><span style="color:black">want to access MapServer SLD resource via secure connection. I've set up SSL on IIS for my web site successfully using a self-signed
certificate. Then I added self-signed certificate into a curl-ca-bundle.crt certificate file and set CURL_CA_BUNDLE system level environment variable pointing to curl-ca-bundle.crt file.</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing" style="orphans: auto;widows: auto;-webkit-text-stroke-width: 0px;background-position:initial initial;background-repeat:initial initial;word-spacing:0px">
<span style="color:black">Aforementioned steps are covered in the following resources:</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing" style="margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span lang="FI" style="font-family:Wingdings"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:black;border:none windowtext 1.0pt;padding:0in"><a href="http://mapserver.org/ogc/wxs_secure.html">How to set up MapServer as a client to access a service over https</a></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing" style="margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span lang="FI" style="font-family:Wingdings"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:black"><a href="http://blog.gisinternals.com/2010/12/daily-built-binary-packages-for.html"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0in">MapServer with OpenSSL support</span></a></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing"><span style="color:black"> </span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing"><span style="color:black">Unfortunately this configuration does not work and curl throws invalid certificate exception when accessing the following URL:</span><span class="apple-converted-space"><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:black"> </span></span><span style="font-size:9.0pt;font-family:Consolas"><a href="https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap">https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap</a></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"><?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"><!DOCTYPE ServiceExceptionReport SYSTEM "<a href="http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd</a>"></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"><ServiceExceptionReport version="1.1.1"></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"><ServiceException></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas">msSLDApplySLDURL: WMS server error. Could not open SLD
<a href="https://domain/cgi-bin/sld.xml">https://domain/cgi-bin//sld.xml</a> and save it in temporary file C:\Windows\TEMP\52f0d577_1380_0.sld.xml. Please make sure that the sld url is valid and that the temporary path is set. The temporary path can be defined
for example by setting TMPPATH in the map file. Please check the MapServer documentation on temporary path settings.</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas">msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 60 (SSL certificate problem, verify that the CA cert is OK. Details:</span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas">error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) for
<a href="https://domain/cgi-bin/sld.xml">https://domain/cgi-bin//sld.xml</a></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"></ServiceException></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:9.0pt;font-family:Consolas"></ServiceExceptionReport></span><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing">If curl is used separately it doesn't throw the certificate exception when used with the same curl-ca-bundle.crt file. This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl.
But according to<span class="apple-converted-space"><span style="color:black"> </span></span><a href="https://github.com/mapserver/mapserver/blob/7f3e75cbc277b19774dc7030b76b92985f9690c6/maphttp.c"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0in">MapServer
code</span></a><span class="apple-converted-space"><span style="color:black"> </span></span>it should check for CURL_CA_BUNDLE environment variable and if set use it for cURL. However this doesn't seem to be the case.<span lang="FI"><o:p></o:p></span></p>
<p class="MsoNoSpacing" style="orphans: auto;widows: auto;-webkit-text-stroke-width: 0px;background-position:initial initial;background-repeat:initial initial;word-spacing:0px">
I even restarted my server for IIS process to pick up new environment variables:<span class="apple-converted-space"><span style="color:black"> </span></span><a href="http://geographika.co.uk/reboot-to-refresh-environment-variables"><span style="color:#4A6B82;border:none windowtext 1.0pt;padding:0in">http://geographika.co.uk/reboot-to-refresh-environment-variables</span></a><span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal">Am I missing something?<span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal">Thanks,<span lang="FI"><o:p></o:p></span></p>
<p class="MsoNormal"><b>Robertas</b><span lang="FI"><o:p></o:p></span></p>
</div>
</div>
</body>
</html>