-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDAL/VSICURL certificate errors loading cloud optimized geotiffs over https via data source manager #27159
Comments
Author Name: Nick S (@nickrsan) From some further testing, looks like it's related to a long-ish standing CURL/GDAL bug on Windows: http://osgeo-org.1560.x6.nabble.com/gdal-dev-libcurl-and-the-certificates-and-Windows-td5322919.html has an overview, but there's discussion of the issue in relation to GDAL here (curl/curl#1538), including how the CURL_CA_BUNDLE environment variable will be deprecated and programs should find the bundle and pass it to curl themselves. It looks like there are some GDAL commits in response to find the bundle, maybe on the system PATH, so it's possible QGIS' copy of GDAL needs configuration (I'm not sure, getting out of my knowledge area here). In the meantime, if I set the CURL_CA_BUNDLE environment variable to point to an existing curl-ca-bundle.crt (in my case, the one that ships with R 3.4.0), everything works without turning off certificate verification. This solves the problem on my machine, but not the problem with the distribution. I'm not sure what QGIS' role here is, if it'd be possible to ship its own curl-ca-bundle.crt file and configure GDAL, but I'll leave this open both so others can find the solution and in case there's a role for QGIS in making VSICURL work within the application on Windows even if the upstream is broken. Thanks! |
Author Name: Giovanni Manghi (@gioman)
|
Had the same issue, not sure how I can create a workaround for this issue. Tried to set the proxy - but doesnt seem to effect the result and can not switch from https to http... |
Same issue here, when accessing data thru HTTPS protocol, using QGIS 3.8 compiled against GDAL 2.4.1 (OSGeo4W 64bits):
Using ' --config GDAL_HTTP_UNSAFESSL YES', solves the problem in the CLI, but not the access in QGIS.
This does not happen in QGIS on a Linux machine, compiled against GDAL 2.2.2, with the same dataset. The same in the CLI.
|
I can access the https://cld.pt/dl/download/43299142-3a39-40f1-b3d1-3248611c7ec4/S2B_20190907_Mosaico_Portugal_Continental_RGB_12_8_4_3763.tif According to this however: It does not seem to be a valid COGEOTiff. `Errors: The file is greater than 512xH or Wx512,but is not tiled |
This raster was just an example, that works ok in Linux and not in Windows. From what I read, I believed that this issue only affects Windows. But you could access my raster in Windows. Do you use QGIS from standalone installer or from OSGeo4W? Thank you very much! |
Thanks! I've set the custom environment variable and QGIS already loads layers from HTTPS servers without problems! However, disabling the certificate check is not the best option. Can this be solved in QGIS side? |
This seems to be fixed. QGIS version 3.4.13-Madeira |
I'm still seeing it in 3.8.1-Zanzibar on Windows 10 Enterprise 1903. Same VSICURL errors as before with a relatively new (and settings not modified) QGIS install. Installed via the dedicated installer. |
@glw |
It'll be fixed in the next point release standalone installers. If you use the package based osgeo4w installer, it is fixed now. |
Hi @nirvn I've just updated QGIS 3.10 nightly (OSGeo4W64) to
and this issue still persists. In what code revision should this be fixed? Thank you very much! |
It's not a problem in QGIS' code. |
Hi @jef-n It's related with the recent curl update in OSGeo4W? Should be fixed in some GDAL update? |
curl-ca-bundle package added to OSGeo4W. |
Perfect! Thanks @jef-n !! |
@jef-n , thanks for that follow up package work. |
@PedroVenancio , can you confirm that the issue is fixed on your system? |
Hi @nirvn , Yes, I confirm that it's fixed! |
@PedroVenancio , woupidou. |
can someone explain how in detail? |
Given that not all users of QGIS have permission to set their Windows environment variables, surely this should at least be a documented installation requirement, so that corporate IT teams set QGIS & all its dependencies up correctly? At present, with 3.16.17, I get a certificate error when trying to use the built-in MetaSearch plugin to access CSWs that run over HTTPS. There is no certificate problem on any of the CSWs - I can see that with a browser. I have no problem accessing a WFS, presumably because that does not use CURL. Just stating that it's not a QGIS problem prevents some users from using some functionality. QGIS has penetrated quite widely in the public sector, where it's quite rare for "ordinary GIS users" to have administrative rights on their corporate PCs. |
Author Name: Nick S (@nickrsan)
Original Redmine Issue: 19331
Affected QGIS version: 3.2
Redmine category:data_provider
Hey there
While testing the cloud-optimized geotiff support, I ran into problems with files hosted via HTTPS.
It can successfully load and display over HTTP, but not HTTPS. When loading over HTTPS, it gives errors like "CURL error: SSL certificate problem: unable to get local issuer certificate" and "CURL error: SSL certificate problem: self signed certificate in certificate chain" (two different servers/URLs for those errors). I've tried hosting the files on Box, Github, a server at my office and a server I run. All files could be accessed over HTTPS in chrome and firefox as standard downloads. When possible to load over standard HTTP, those files succeed in QGIS, but fail over HTTPS with the above errors.
The full error message that's most common is:
CRITICAL Invalid Layer : GDAL provider Cannot open GDAL dataset /vsicurl/https://raw.githubusercontent.com/ucd-cws/nitrates-cv/master/1945/Nharvest_actual.tif:
CURL error: SSL certificate problem: unable to get local issuer certificate
Raster layer Provider is not valid (provider: gdal, URI: /vsicurl/https://raw.githubusercontent.com/ucd-cws/nitrates-cv/master/1945/Nharvest_actual.tif
This happens on 3.2.0 on Windows 10 1803. When using Gdal 2.2.3 on Bash on Ubuntu on Windows, I can successfully use gdal_translate on the files over https, so it seems like a QGIS issue or an issue with QGIS specific to my machine - I've not yet been able to get someone else to try on a different machine. One of the files I'm using is here. It works via gdal_translate/VSICURL in Bash on Ubuntu on Windows but not in QGIS: https://github.com/ucd-cws/nitrates-cv/blob/master/1945/Nharvest_actual.tif?raw=true
A URL that allows access via HTTP and HTTPS where the behavior can also be seen to work over HTTP and not HTTPS is http://managedretreat.org/test/NgwDirect.tif
Related issue(s): #28557 (duplicates)
Redmine related issue(s): 20737
The text was updated successfully, but these errors were encountered: