[GeoNode-devel] SSL error on upload and saving metadata
Jonathan Doig
j.doig at unsw.edu.au
Wed May 31 01:19:24 PDT 2017
Thanks Alessio I hadn’t seen that. But from a quick scan it seems to be doing the same thing as suggested at Running GeoNode under SSL<http://docs.geonode.org/en/master/tutorials/advanced/geonode_production/ssl.html>, in this section:
* It seems not necessary in standard GeoNode installations (via ppa) but if you plan to use other python or java applications, it could be useful also add the certificate to the cacerts file for python and java:
Ø sudo -s "cat server.crt >> /usr/lib/python2.7/dist-packages/httplib2/cacerts.txt"
Ø sudo keytool -import -alias geonodessl -keystore /etc/ssl/certs/java/cacerts -file server.crt
I.e using keytool to import the certificate for Java apps.
That’s the doco I followed originally to create my Ansible.
Regards
Jonathan
From: Alessio Fabiani [mailto:alessio.fabiani at geo-solutions.it]
Sent: Wednesday, 31 May 2017 6:07 PM
To: Jonathan Doig <j.doig at unsw.edu.au>
Cc: Patrick Dufour <pjdufour.dev at gmail.com>; Vaughan Allan <v.allan at unsw.edu.au>; geonode-devel <geonode-devel at lists.osgeo.org>; Graham Hannah <g.hannah at unsw.edu.au>
Subject: Re: [GeoNode-devel] SSL error on upload and saving metadata
Could this also help you to better setup outh secured endpoints?
http://docs.geonode.org/en/master/tutorials/admin/geoserver_geonode_security/index.html#how-to-setup-https-secured-endpoints
Best Regards,
Alessio Fabiani.
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Ing. Alessio Fabiani
@alfa7691
github<https://github.com/afabiani?tab=overview>
Founder/Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686
http://www.geo-solutions.it<http://www.geo-solutions.it/>
http://twitter.com/geosolutions_it
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.
---------------------------------------------------------------------
On Wed, May 31, 2017 at 2:35 AM, Jonathan Doig <j.doig at unsw.edu.au<mailto:j.doig at unsw.edu.au>> wrote:
Yes, no more SSL errors, or even mixed content warnings in the dev console (that I’ve noticed).
Fixed the latter by changing http to https wherever needed, but later switched to default-protocol URLs (starting with //) so the current protocol is used, whether http or https. That would be worth adding to master imho, to reduce the work in adding SSL. Apparently there are some issues with obscure clients though, so may need to weigh that up.
Jonathan
From: Patrick Dufour [mailto:pjdufour.dev at gmail.com<mailto:pjdufour.dev at gmail.com>]
Sent: Wednesday, 31 May 2017 8:45 AM
To: Jonathan Doig <j.doig at unsw.edu.au<mailto:j.doig at unsw.edu.au>>
Cc: geonode-devel <geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>>; Cezary Statkiewicz <cezary.statkiewicz at geo-solutions.it<mailto:cezary.statkiewicz at geo-solutions.it>>; Vaughan Allan <v.allan at unsw.edu.au<mailto:v.allan at unsw.edu.au>>; Graham Hannah <g.hannah at unsw.edu.au<mailto:g.hannah at unsw.edu.au>>
Subject: Re: [GeoNode-devel] SSL error on upload and saving metadata
Nice!
Is the whole upload shapefile to GeoNode layer workflow end-to-end secure and working now (setting aside http basemaps or unrelated ui issues.)?
Regards,
Patrick
On May 30, 2017 6:30 PM, "Jonathan Doig" <j.doig at unsw.edu.au<mailto:j.doig at unsw.edu.au>> wrote:
Hi all
Following this up with the solution for posterity.
Turns out I couldn’t get a signed certificate with the actual hostname included in the subjectAltName, as our signing authority doesn’t cover the actual host domain. Anyway that wasn’t the problem. The problem (thanks Vaughan!) was missing root and intermediate certificates.
The full solution was to:
1. Add our (QuoVadis) root and intermediate certificates to /etc/ssl/certs/geonode-chain.crt
2. Point to this file from /etc/apache2/sites-available/geonode.conf by adding this line:
SSLCertificateChainFile /etc/ssl/certs/geonode-chain.crt
1. Add the root certificate to /usr/local/lib/python2.7/dist-packages/httplib2/cacerts.txt
2. In local_settings.py, set OGC_SERVER default LOCATION to https://fully.qualified.domain.name/geoserver
Words to this effect should probably be added to http://docs.geonode.org/en/master/tutorials/advanced/geonode_production/ssl.html
I’ve added it to our own (tested) Ansible playbook at https://github.com/UNSW-CFRC/geonode_install/tree/master/roles/install_ssl
Regards
Jonathan
From: geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org<mailto:geonode-devel-bounces at lists.osgeo.org>] On Behalf Of Jonathan Doig
Sent: Wednesday, 10 May 2017 5:12 PM
To: Cezary Statkiewicz <cezary.statkiewicz at geo-solutions.it<mailto:cezary.statkiewicz at geo-solutions.it>>; geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>
Subject: Re: [GeoNode-devel] SSL error on upload and saving metadata
Thanks for your response Cezary.
We have created an alias to our actual host. I think the problem might be that while the python running these functions is using https, it is still calling the actual hostname rather than the alias. It fails to verify the certificate because the hostname doesn't match the alias. So I’ve requested new certificates based on a config in which I’ve added the actual hostname to subjectAltName. I’ll let you know how it goes.
Curl output shows no problem with <my-alias>:
curl -vvv https://<my-alias>/geoserver/<https://%3cmy-alias%3e/geoserver/>
* Trying <my-host-IP>...
* Connected to <my-alias> (<my-host-IP>) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: <my-alias> (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=AU,ST=New South Wales,L=Kensington,O=University of New South Wales,OU=City Futures Research Centre,CN=<my-alias>
* start date: Mon, 08 May 2017 01:05:25 GMT
* expire date: Fri, 08 May 2020 01:05:21 GMT
* issuer: C=BM,O=QuoVadis Limited,CN=QuoVadis Global SSL ICA G2
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /geoserver/ HTTP/1.1
> Host: <my-alias>
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Tue, 09 May 2017 23:48:37 GMT
< Server: Apache-Coyote/1.1
< Location: /geoserver/index.html
< Content-Length: 0
< Set-Cookie: JSESSIONID=5797370732D26CAD77DC9ABB69E89DC7; Path=/geoserver/; HttpOnly
<
* Connection #0 to host <my-alias> left intact
But it fails on <my-actual-host>:
curl -vvv https://<my-actual-host>/geoserver/<https://%3cmy-actual-host%3e/geoserver/>
* Trying <my-host-ip>...
* Connected to <my-actual-host> (<my-host-ip>) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* SSL: certificate subject name (<my-alias>) does not match target host name '<my-actual-host>'
* Closing connection 0
curl: (51) SSL: certificate subject name (<my-alias>) does not match target host name '<my-actual-host>'
-----Original Message-----
From: geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org] On Behalf Of Cezary Statkiewicz
Sent: Tuesday, 9 May 2017 5:27 PM
To: geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>
Subject: Re: [GeoNode-devel] SSL error on upload and saving metadata
On Tuesday, May 9, 2017 8:27:50 AM CEST Jonathan Doig wrote:
> Hi devs
>
> I'm putting our Geonode 2.4 behind SSL to protect the passwords over
> the net.
>
> Based on the
> doco<http://docs.geonode.org/en/master/tutorials/advanced/geonode_prod
> uctio n/ssl.html> I've written two ansible scripts,
> one<https://github.com/UNSW-CFRC/geonode_install/blob/master/install_g
> eonod e/10_generate_ssl_csr.yml> to generate the key and CSR, the
> other<https://github.com/UNSW-CFRC/geonode_install/blob/master/install
> _ssl_ cert.yml> to install the certificate supplied by our university
> IT. I included the step to add the certificate to httplib2/cacerts.txt
> for python.
>
> This works OK in general - the site itself shows as secure in Chrome.
>
> However, I get errors when uploading a layer and saving metadata:
> SSLHandshakeError at /layers/geonode:test_issue086a/metadata
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:590)
Could you run
curl -vvv https://your.private.geoserver/geoserver/
curl -vvv https://your.public.geoserver/geoserver/
and put outputs from those commands?
>
> Any thoughts?
>
> This is similar but not identical to the issue reported last year by
> Antoine Rolland (below).
>
> Regards
> Jonathan
>
>
>
> Jun 06, 2016; 11:20pm [Antoine ROLLAND]
> <http://osgeo-org.1560.x6.nabble.com/template/NamlServlet.jtp?macro=us
> er_no
> des&user=379386> Antoine
> ROLLAND<http://osgeo-org.1560.x6.nabble.com/template/NamlServlet.jtp?m
> acro= user_nodes&user=379386> SSL HandshakeError Hello everyone,
>
> I'm using Geonode 2.4 stable version, and it's now running under SSL.
> After this change, part of the website is still working well, but I
> meet errors while editing metada (when I save), and also when I try to
> upload a new layer. This is the error I meet :
>
> SSLHandshakeError at /layers/geonode:communes/metadata [Errno 1]
> _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol Request Method: POST Request URL:
> https://aware.cirad.fr/layers/geonode:communes/metadata
> Django Version: 1.6.11
> Exception Type: SSLHandshakeError
> Exception Value:
> [Errno 1] _ssl.c:510: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol Exception Location:
> /usr/lib/python2.7/dist-packages/httplib2/__init__.py in connect, line
> 1043 Python Executable: /usr/bin/python Python Version: 2.7.6 Python
> Path:
> ['/usr/lib/python2.7',
> '/usr/lib/python2.7/plat-x86_64-linux-gnu',
> '/usr/lib/python2.7/lib-tk',
> '/usr/lib/python2.7/lib-old',
> '/usr/lib/python2.7/lib-dynload',
> '/usr/local/lib/python2.7/dist-packages',
> '/usr/lib/python2.7/dist-packages',
> '/usr/lib/python2.7/dist-packages/PILcompat',
> '/usr/lib/pymodules/python2.7',
> '/var/www']
> Server time: lun, 6 Jui 2016 09:09:43 -0400
>
>
> Also, it seems that the url of the website generated is wrong : a "/"
> is missing between "websitename" and "uploaded/thumbs" (for instance).
> I suppose it is a consequence of the error i meet.
>
> Any help would be really appreciated
>
> Thanks
>
> Antoine Rolland
> _______________________________________________
> geonode-devel mailing list
> [hidden
> email]<http://osgeo-org.1560.x6.nabble.com/user/SendEmail.jtp?type=nod
> e&nod e=5270129&i=0>
> http://lists.osgeo.org/mailman/listinfo/geonode-devel
--
Cezary Statkiewicz
mailto: cezio at thelirium.net<mailto:cezio at thelirium.net>
xmpp: cezio at jabber.org<mailto:cezio at jabber.org>
pgp: https://thelirium.net/cezio@thelirium.net.pub.key
_______________________________________________
geonode-devel mailing list
geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/geonode-devel
_______________________________________________
geonode-devel mailing list
geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/geonode-devel
_______________________________________________
geonode-devel mailing list
geonode-devel at lists.osgeo.org<mailto:geonode-devel at lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/geonode-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170531/88868f68/attachment-0001.html>
More information about the geonode-devel
mailing list