Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application / Passage au https #565

Closed
stephyritz opened this issue Nov 27, 2020 · 15 comments
Closed

Application / Passage au https #565

stephyritz opened this issue Nov 27, 2020 · 15 comments
Assignees
@davinciagf @fxprunayre
Labels
criticité.majeur DTIC-help-needed
Milestone
4.0.7 - Passage h...

Comments

@stephyritz
Copy link

Passer Metawal en https et vérifier que toutes les interactions fonctionnent encore correctement : process FME (DE), synchro Géoportail ou encore moissonnage INSPIRE.
@stephyritz stephyritz added this to the Future release milestone Nov 27, 2020
@stephyritz stephyritz changed the title Application / Passage au http Application / Passage au https Nov 27, 2020
@vbombaerts vbombaerts modified the milestones: Future release, 4.0.3 Apr 8, 2021
@fxprunayre fxprunayre mentioned this issue May 17, 2021
Closed
@fxprunayre
Copy link

Ici le travail est à faire côté serveur web (DTIC?). Ensuite admin > paramètre et changer le protocol à 443 / HTTPs par défaut (au lieu de 80).

@vbombaerts
Copy link

@davinciagf Tu peux me rédiger une demande que je transmettrai au DTIC dans un ticket STP ?

@vbombaerts
Copy link

Le ticket a été introduit. J'attends la réaction du DTIC.

@vbombaerts
Copy link

Metawal test est en https. Il faut valider le fonctionnement.

@fxprunayre
Copy link

fxprunayre commented May 27, 2021
edited

Ce qui serait bien c'est d'avoir un redirect sur toutes les requêtes http://metawal4.test.wallonie.be/.* > https://metawal4.test.wallonie.be/.*. A faire côté serveur web.

J'ai adapté la config
image

Ensuite, faudra mettre à jour toutes les URLs dans les fiches.

Y'a des soucis de certificats https://metawal4.test.wallonie.be/geonetwork/warninghealthcheck


    "name": "DashboardAppHealthCheck",
    "status": "ERROR",
    "msg": "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
    "exception": "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat sun.security.ssl.Alerts.getSSLException(Alerts.java:192)\n\tat sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)\n\tat sun.security.ssl.Handshaker.fatalSE(Handshaker.j

@davinciagf davinciagf mentioned this issue May 27, 2021
Closed
@vbombaerts
Copy link

@davinciagf Préviens-moi quand ce sera stabilisé au niveau Metawal. Je pourrai alors demander aux collègues de vérifier s'ils ont des dysfonctionnements (Géoportail, FME, ...)

@davinciagf
Copy link

Problème de synchronisation rencontré au niveau Geoportail (cf échange de mails) - correctif par le DTIC (problème de validation du certificat ?). A valider

@vbombaerts vbombaerts mentioned this issue Jun 15, 2021
Closed
14 tasks
@vbombaerts
Copy link

vbombaerts commented Jul 1, 2021
edited

Certificat installé.
Pour le moment, Metawal reste accessible en http et https sans redirection.

@vbombaerts
Copy link

Erreur lors de la tentative de moissonnage de la prod par la valid en https :
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Voici le log

2021-07-26T09:35:29,161+0200 INFO  [Prod] - Starting harvesting of Prod
2021-07-26T09:35:29,183+0200 INFO  [Prod] - Started harvesting from node : Prod (CswHarvester)
2021-07-26T09:35:29,227+0200 WARN  [Prod] - Raised exception while harvesting from : Prod (CswHarvester)
2021-07-26T09:35:29,227+0200 WARN  [Prod] -  (C) Class   : SSLHandshakeException
2021-07-26T09:35:29,227+0200 WARN  [Prod] -  (C) Message : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2021-07-26T09:35:29,227+0200 ERROR [Prod] - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:191)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:390)
	at org.fao.geonet.utils.GeonetHttpRequestFactory$3.upgrade(GeonetHttpRequestFactory.java:226)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:428)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.fao.geonet.utils.GeonetHttpRequestFactory.execute(GeonetHttpRequestFactory.java:182)
	at org.fao.geonet.utils.AbstractHttpRequest.doExecute(AbstractHttpRequest.java:243)
	at org.fao.geonet.utils.XmlRequest.executeAndReadResponse(XmlRequest.java:118)
	at org.fao.geonet.utils.XmlRequest.execute(XmlRequest.java:85)
	at org.fao.geonet.kernel.harvest.harvester.csw.Harvester.retrieveCapabilities(Harvester.java:183)
	at org.fao.geonet.kernel.harvest.harvester.csw.Harvester.harvest(Harvester.java:109)
	at org.fao.geonet.kernel.harvest.harvester.csw.CswHarvester.doHarvest(CswHarvester.java:85)
	at org.fao.geonet.kernel.harvest.harvester.AbstractHarvester$HarvestWithIndexProcessor.process(AbstractHarvester.java:605)
	at org.fao.geonet.kernel.harvest.harvester.AbstractHarvester.harvest(AbstractHarvester.java:676)
	at org.fao.geonet.kernel.harvest.harvester.HarvesterJob.execute(HarvesterJob.java:69)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
	... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 36 more

@vbombaerts
Copy link

Idem pour le moissonnage de la valid depuis la test

@vbombaerts vbombaerts modified the milestones: 4.0.4, 4.0.7 Sep 9, 2021
@vbombaerts vbombaerts mentioned this issue Sep 23, 2021
Closed
@vbombaerts vbombaerts mentioned this issue Sep 24, 2021
Closed
@davinciagf
Copy link

davinciagf commented Sep 24, 2021
edited

Ne faudrait-il pas copier le certificat au niveau du keystore du JAVA ?

Genre :
keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>

List des certificats
keytool -list -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit

Suppression d'un certificat:
keytool -delete -alias <alias_name> -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit

@davinciagf davinciagf assigned fxprunayre and unassigned vbombaerts Sep 24, 2021
@vbombaerts
Copy link

Ce n'est pas impossible. Tu peux dépatouiller ça avec le DTIC stp ?

@davinciagf
Copy link

Didier a rajouté les certificats . A vérifier si c'est ok.

@davinciagf davinciagf mentioned this issue Sep 30, 2021
Closed
@vbombaerts
Copy link

Il faut aussi prévoir un script pour passer toutes les adresses http://metawal en https://metawal

@vbombaerts vbombaerts mentioned this issue Oct 13, 2021
Closed
@davinciagf
Copy link

UPDATE metadata SET data = replace(data, 'http://metawal.wallonie.be/', 'https://metawal.wallonie.be/') WHERE data LIKE '%http://metawal.wallonie.be/%';

@vbombaerts vbombaerts mentioned this issue Oct 29, 2021
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davinciagf davinciagf

@fxprunayre fxprunayre

Labels
criticité.majeur DTIC-help-needed
Projects
None yet
Milestone
4.0.7 - Passage https
Development

No branches or pull requests
4 participants
@davinciagf @fxprunayre @vbombaerts @stephyritz