[mapserver-users] Make MapServer trust self-signed certificate on	Windows
    Robertas.Kerpys at bentley.com 
    Robertas.Kerpys at bentley.com
       
    Thu Feb  6 00:53:44 PST 2014
    
    
  
Thanks Jukka, but we are using IIS 7.5 server and MapServer runs through FastCGI.
Robertas
From: Rahkonen Jukka (Tike) [mailto:jukka.rahkonen at mmmtike.fi]
Sent: Thursday, February 06, 2014 10:13 AM
To: Robertas Kerpys; 'mapserver-users at lists.osgeo.org'
Subject: Re: [mapserver-users] Make MapServer trust self-signed certificate on Windows
Hi,
I seem to have this setting done in Apache's httpd.conf file as
SetEnv CURL_CA_BUNDLE "d:/Program Files/ms4w/Apache/conf/ca-bundle/cacert.pem"
Check if that works better, or if there happens to be a line already overriding your system wide setting.
-Jukka Rahkonen-
Robertas.Kerpys at bentley.com<mailto:Robertas.Kerpys at bentley.com> wrote:
Hi Folks,
I want to access MapServer SLD resource via secure connection. I've set up SSL on IIS for my web site successfully using a self-signed certificate. Then I added self-signed certificate into a curl-ca-bundle.crt certificate file and set CURL_CA_BUNDLE system level environment variable pointing to curl-ca-bundle.crt file.
Aforementioned steps are covered in the following resources:
§  How to set up MapServer as a client to access a service over https<http://mapserver.org/ogc/wxs_secure.html>
§  MapServer with OpenSSL support<http://blog.gisinternals.com/2010/12/daily-built-binary-packages-for.html>
Unfortunately this configuration does not work and curl throws invalid certificate exception when accessing the following URL: https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap
<?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE ServiceExceptionReport SYSTEM "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd">
<ServiceExceptionReport version="1.1.1">
<ServiceException>
msSLDApplySLDURL: WMS server error. Could not open SLD https://domain/cgi-bin//sld.xml<https://domain/cgi-bin/sld.xml> and save it in temporary file C:\Windows\TEMP\52f0d577_1380_0.sld.xml. Please make sure that the sld url is valid and that the temporary path is set. The temporary path can be defined for example by setting TMPPATH in the map file. Please check the MapServer documentation on temporary path settings.
msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 60 (SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) for https://domain/cgi-bin//sld.xml<https://domain/cgi-bin/sld.xml>
</ServiceException>
</ServiceExceptionReport>
If curl is used separately it doesn't throw the certificate exception when used with the same curl-ca-bundle.crt file. This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl. But according to MapServer code<https://github.com/mapserver/mapserver/blob/7f3e75cbc277b19774dc7030b76b92985f9690c6/maphttp.c> it should check for CURL_CA_BUNDLE environment variable and if set use it for cURL. However this doesn't seem to be the case.
I even restarted my server for IIS process to pick up new environment variables: http://geographika.co.uk/reboot-to-refresh-environment-variables
Am I missing something?
Thanks,
Robertas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20140206/8d1d9d95/attachment.htm>
    
    
More information about the MapServer-users
mailing list