QGIS Server lost the ability to cascade WMS layers published using HTTPS

[qgib]

Author Name: Giovanni Manghi (@gioman)
Original Redmine Issue: 16462
Affected QGIS version: 2.18.17
Redmine category:qgis_server

---

At some point (likely in qgis 2.14 point release) QGIS projects containing an external WMS layer (possibly affected also WFS) published using HTTPS stopped to cascade correctly that layers when publishing the project with QGIS Server.

I tested the bug using the latest available versions of QGIS server 2.14 and 2.18, while using a QGIS Server 2.8.8 instance it works ok.

---

• bug_16462.qgs (Alessandro Pasotti)
• tirol_getlegendgraphics_master.png (René-Luc ReLuc)
• tirol_getmap_218.png (René-Luc ReLuc)
• tirol_getmap_214.png (René-Luc ReLuc)
• tirol_getmap_master.png (René-Luc ReLuc)

---

Related issue(s): #25847 (duplicates)
Redmine related issue(s): 17951

---

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• subject was changed from QGIS Server lost the hability to cascade WMS layers published using HTTPS to QGIS Server lost the ability to cascade WMS layers published using HTTPS

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• version was changed from 2.18.5 to 2.18.6

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

I can't pinpoint when this exactly happened by my guess is still sometime along the 2.14.* releases. I had services based in qgis-server 2.14 that did the cascading of other wms/https services correctly.

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• description was changed from At some point (likely in qgis 2.14 point release) QGIS projects containing an external WMS layer (possibly affected also WFS) published using HTTPS stopped to cascade correctly that layers when publishing the project with QGIS Server.

I tested the bug using the latest available versions of QGIS server 2.14 and 2.18, while using a QGIS Server 2.8.8 instance it works ok. to At some point (likely in qgis 2.14 point release) QGIS projects containing an external WMS layer (possibly affected also WFS) published using HTTPS stopped to cascade correctly that layers when publishing the project with QGIS Server.

I tested the bug using the latest available versions of QGIS server 2.14 and 2.18, while using a QGIS Server 2.8.8 instance it works ok.

• version was changed from 2.18.6 to 2.18.7

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• regression was configured as 1

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• priority_id was changed from Severe/Regression to High

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• easy_fix was configured as 0

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

• assigned_to_id was configured as Alessandro Pasotti

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

What does exactly mean "stopped to cascade correctly"?

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

I could not reproduce this neither on master or in 2.18.x.

Please attach a project that shows the issue (see my test project attached: all layers in the project are cascaded WMS on https ).

---

• 11771 was configured as bug_16462.qgs
• status_id was changed from Open to Feedback

---

• bug_16462.qgs (Alessandro Pasotti)

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

I have tested this URL https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer
The GetCapabilities it's OK but the GetLegendGraphic doesn't provide the same image.

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

No issue with master, issue with 2.18

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

Renè, do I understand right that the issue is only with the cascading GetLegendGraphic not being tranferred/copied/merged?
To be honest I've never used cascading WMS, but I'd be surprised if that was working: what would be the outcome when you ask a legend with multiple layers coming from cascading and not-cascading layers?
Do we have any logic to merge the QGIS-Server-generated image with the one coming from the cascading service?

Can you please attach a sample project and sample calls that are supposed to work and do not?

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

Firstly, I can't use the project you provide.

For the Request MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities
I have the result:

<ServerException>Project file error</ServerException>

And this log:

fcgi query string:  "MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities"
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] ******************** New request ***************
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REMOTE_ADDR: 127.0.0.1
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] MAP:/tmp/bug_16462.qgs
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REQUEST:GetCapabilities
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] SERVICE:WMS
src/server/qgsserver.cpp: 176: (configPath) [0ms] MAP:/tmp/bug_16462.qgs
"Sent 1 blocks of 54 bytes"
src/core/qgsmessagelog.cpp: 27: (logMessage) [5ms] 2017-11-30T12:45:02 Server[0] Request finished in 5 ms

I use this apache vhost:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
        ServerName qgis-server.localhost
        ServerAlias qgis-server.localhost
	DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/qgis-server-error.log
        CustomLog ${APACHE_LOG_DIR}/qgis-server-access.log combined

        # Longer timeout for WPS... default = 40
        FcgidIOTimeout 120 
	FcgidInitialEnv DISPLAY ":99"
        FcgidInitialEnv LC_ALL "en_US.UTF-8"
        FcgidInitialEnv PYTHONIOENCODING UTF-8
        FcgidInitialEnv LANG "en_US.UTF-8"
        #FcgidInitialEnv QGIS_LOG_FILE /tmp/qgis.log
        #FcgidInitialEnv QGIS_DEBUG_FILE /tmp/qgis-debug.log
        FcgidInitialEnv QGIS_DEBUG 1
        FcgidInitialEnv QGIS_SERVER_LOG_FILE /tmp/qgis-server.log
        FcgidInitialEnv QGIS_SERVER_LOG_LEVEL 0
        #FcgidInitialEnv QGIS_PLUGINPATH "/home/dhont/.qgis2/python/plugins"
        FcgidInitialEnv HOME "/tmp"

        # ABP: needed for QGIS HelloServer plugin HTTP BASIC auth
        <IfModule mod_fcgid.c>
            RewriteEngine on
            RewriteCond %{HTTP:Authorization} .
            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        </IfModule>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
            AllowOverride All
            Options +ExecCGI -MultiViews +FollowSymLinks
            Require all granted
            #Allow from all
        </Directory>

</VirtualHost>

I have build the server the 30th november 2017

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

So i have created a project with the layer Image_Aktuell_RGB from this WMS service https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer and a vector layer (SHP).

I have tested this project with:

• QGIS 2.14
• QGIS 2.18
• QGIS master 30th november
  I have tested 3 request:
• GetCapabilities SERVICE=WMS&Request=GetCapabilities
• GetLegendGraphics SERVICE=WMS&VERSION=1.3.0&REQUEST=GetLegendGraphic&LAYER=Image_Aktuell_RGB&FORMAT=image/png&STYLE=default&SLD_VERSION=1.1.0

I can't really help more, I have lost the logs files.

• GetMap LAYERS=Image_Aktuell_RGB&STYLES=default&CRS=EPSG%3A31254&FORMAT=image%2Fpng&TRANSPARENT=true&EXCEPTIONS=application%2Fvnd.ogc.se_inimage&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG%3A31254&BBOX=931.9853487034507,261926.27369830207,17957.956900646554,267151.80498269794&WIDTH=1287&HEIGHT=395

The result is :

• for GetLegendGraphics, the image provided by all QGIS Server gives only the layer name
• for GetMap, 2.14 and master provides the image, 2.18 provides a blank image.

---

• 11787 was configured as tirol_getmap_214.png
• 11788 was configured as tirol_getmap_master.png
• 11786 was configured as tirol_getmap_218.png
• 11785 was configured as tirol_getlegendgraphics_master.png

---

• tirol_getmap_214.png (René-Luc ReLuc)
• tirol_getmap_master.png (René-Luc ReLuc)
• tirol_getmap_218.png (René-Luc ReLuc)
• tirol_getlegendgraphics_master.png (René-Luc ReLuc)

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

Thanks for your tests René, from the results we can conclude that:

• this ticket title must be changed to "QGIS Server returns a blank image with GetImage on a WMS Cascading layer"
• we should file a separate issue type "Feature request" for composing the the legend from the cascading server (which as I suspected it was never implemented and it is not a trivial task).

I'm focusing mainly on master at this time, so I'll pass this bug over because it does not affect master.

---

• assigned_to_id removed Alessandro Pasotti
• subject was changed from QGIS Server lost the ability to cascade WMS layers published using HTTPS to QGIS Server returns a blank image with GetImage on a WMS Cascading layer
• status_id was changed from Feedback to Open

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

I'm changing back the description to the original one after having chatted with Alessandro and having provided a clear example (which I cannot share here) that shows that the issue is cascading from a service which uses https (the same service/maps cascaded using http behave as expected).

---

• subject was changed from QGIS Server returns a blank image with GetImage on a WMS Cascading layer to QGIS Server lost the ability to cascade WMS layers published using HTTPS
• version was changed from 2.18.7 to 2.18.15

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

Does some one has any clue to fix it ?

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

• version was changed from 2.18.15 to 2.18.17

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

I have tested the futur 2.18.18 and I can't reproduced the issue.

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

I have found this error message:

Download of capabilities failed: SSL handshake failed

Is it possible to explicitly ignore SSL errors ?

The issue is also available for XYZ layers.

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

maybe: it's possible but it must be done for each certificate verification failure by adding a custom SSL configuration to the authentication DB, this is what normally happens in QGIS desktop when you encounter such an error.

What happens normally is that when the connection fails due to an SSL error, a dialog pops up asking if you want to ignore the error and/or store the exception permanently (more or less what happens in a normal browser), if you ignore the exception permanently this information is stored in the authentication DB.

So: it is not currently possible from the server. Btw, I agree that it might be a useful implementation, even if you should normally be careful to accept insecure connections.

[qgib]

Author Name: Alessandro Pasotti (@elpaso)

---

• duplicated was configured as QGIS Server lost (most of the times) the ability to cascade WFS layers #25847

[qgib]

Author Name: Anne Blankert (Anne Blankert)

---

I am having the same problem: SSL handshake failed (QGIS server 2.18.19, Ubuntu 16.04). Example WMS service https://geodata.nationaalgeoregister.nl/bag/ows

Other software on the Ubuntu machine running QGIS server is able to connect to the same remote HTTPS WMS server without problems. Also QGIS Desktop can connect to the HTTPS WMS server without problems.

Maybe QGIS server does not know where to look for CA-certificates? If QGIS server can't validate the HTTPS server certificate, it may abort with an SSL handshake error?

I tried to set in the Apache configuration:
FcgidInitialEnv REQUESTS_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt"
FcgidInitialEnv SSL_CERT_FILE "/etc/ssl/certs/ca-certificates.crt"
also tried:
FcgidInitialEnv SSL_CERT_DIR "/etc/ssl/certs"

restarted Apache, but same result:
SSL handshake failed

[qgib]

Author Name: René-Luc ReLuc (@rldhont)

---

To fix this issue, you have to add HOME environmental variable to a directory in which the directory .qgis2 is writable for the user used by QGIS Server, with Apache2, it's www-data.

For exemple, do these commands:

mkdir /srv/qgis/.qgis2
chown www-data:www-data /srv/qgis/.qgis2
chmod 774 /srv/qgis/.qgis2

And add this in your apache virtual host:

FcgidInitialEnv HOME "/srv/qgis"

[qgib]

Author Name: Giovanni Manghi (@gioman)

---

duplicate of #25847

---

• status_id was changed from Open to Closed
• resolution was changed from to duplicate