Discussion:
[Geoserver-users] GeoFence https certificates
Fabio
2017-05-08 16:07:26 UTC
Permalink
Hi,
we're testing the adoption of standalone GeoFence (3.3.0) in order to
manage security of our GeoServers.
Problem is that when I try to register our GeoServer instance, an error
is thrown when "Test" button is pressed. Setting logs to debug, I can
see the attached error.
Our GeoServer (v 2.10) is hosted on a tomcat7 behind an nginx proxy, and
https->https redirection is in place. The certificate is a let'sencrypt one.

GeoFence runs on a tomcat7, java version "1.8.0_121".

I tested the same code (copied getURL from
https://github.com/geoserver/geofence/blob/v3.3.0/src/gui/core/plugin/userui/src/main/java/org/geoserver/geofence/gui/server/service/impl/InstancesManagerServiceImpl.java
) in another webapp I created and deployed on the same tomcat7 of
GeoFence, and the output seems correctly retrieved. These are the
parameters :

URL
https://geoserver1-spatial-dev.d4science.org/geoserver/rest/geofence/info
USER admin
PWD geoserver

Since the jre seems to recognize the certificate (my test successfully
connects a retrieve content), my guess is that some other configuration
might be needed.

Thanks a lot for your help,
Fabio Sinibaldi
--
--- --- --- ---
Fabio Sinibaldi
CNR Istituto di Scienza e Tecnologie dell' Informazione A. Faedo
Area della Ricerca CNR
InfraScience Group http://nemis.isti.cnr.it/groups/infrascience
Via G. Moruzzi, 1 – 56124 Pisa, Italy

Skype fabioisti
https://it.linkedin.com/in/fabio-sinibaldi-18779a18
--- --- --- ---
Christian Mueller
2017-05-09 08:01:17 UTC
Permalink
Hi Fabio

I am wondering why you have an https-->https configuration. Normally, your
nginx proxy should handle SSL, no need for SSL for the backend service.
https-->http should be sufficient.

Second, do you use a self signed certificate ?. If you do, you have to add
your certificate into JRE_HOME/lib/security/cacerts

Cheers
Post by Fabio
Hi,
we're testing the adoption of standalone GeoFence (3.3.0) in order to
manage security of our GeoServers.
Problem is that when I try to register our GeoServer instance, an error is
thrown when "Test" button is pressed. Setting logs to debug, I can see the
attached error.
Our GeoServer (v 2.10) is hosted on a tomcat7 behind an nginx proxy, and
https->https redirection is in place. The certificate is a let'sencrypt one.
GeoFence runs on a tomcat7, java version "1.8.0_121".
I tested the same code (copied getURL from https://github.com/geoserver/g
eofence/blob/v3.3.0/src/gui/core/plugin/userui/src/main/java
/org/geoserver/geofence/gui/server/service/impl/InstancesM
anagerServiceImpl.java ) in another webapp I created and deployed on the
same tomcat7 of GeoFence, and the output seems correctly retrieved. These
URL https://geoserver1-spatial-dev.d4science.org/geoserver/rest/
geofence/info
USER admin
PWD geoserver
Since the jre seems to recognize the certificate (my test successfully
connects a retrieve content), my guess is that some other configuration
might be needed.
Thanks a lot for your help,
Fabio Sinibaldi
--
--- --- --- ---
Fabio Sinibaldi
CNR Istituto di Scienza e Tecnologie dell' Informazione A. Faedo
Area della Ricerca CNR
InfraScience Group http://nemis.isti.cnr.it/groups/infrascience
Via G. Moruzzi, 1 – 56124 Pisa, Italy
Skype fabioisti
https://it.linkedin.com/in/fabio-sinibaldi-18779a18
--- --- --- ---
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
Fabio
2017-05-09 08:53:46 UTC
Permalink
Hi Christian,

thanks for replying. Yes, there was a typo in that mail, sorry about
that. We redirect internally on http, but we force redirect of
http->https of external inbound calls in order to force them to be over
https.

About the certificate, it's a let's encrypt one
(https://letsencrypt.org/) and as I tested, it is recognized by the JVM
(The same code run on the same tomcat instance in a different webapp
correctly retrieve the output ).


Fabio
Post by Christian Mueller
Hi Fabio
I am wondering why you have an https-->https configuration. Normally,
your nginx proxy should handle SSL, no need for SSL for the backend
service. https-->http should be sufficient.
Second, do you use a self signed certificate ?. If you do, you have to
add your certificate into JRE_HOME/lib/security/cacerts
Cheers
Hi,
we're testing the adoption of standalone GeoFence (3.3.0) in order
to manage security of our GeoServers.
Problem is that when I try to register our GeoServer instance, an
error is thrown when "Test" button is pressed. Setting logs to
debug, I can see the attached error.
Our GeoServer (v 2.10) is hosted on a tomcat7 behind an nginx
proxy, and https->https redirection is in place. The certificate
is a let'sencrypt one.
GeoFence runs on a tomcat7, java version "1.8.0_121".
I tested the same code (copied getURL from
https://github.com/geoserver/geofence/blob/v3.3.0/src/gui/core/plugin/userui/src/main/java/org/geoserver/geofence/gui/server/service/impl/InstancesManagerServiceImpl.java
<https://github.com/geoserver/geofence/blob/v3.3.0/src/gui/core/plugin/userui/src/main/java/org/geoserver/geofence/gui/server/service/impl/InstancesManagerServiceImpl.java>
) in another webapp I created and deployed on the same tomcat7 of
GeoFence, and the output seems correctly retrieved. These are the
URL
https://geoserver1-spatial-dev.d4science.org/geoserver/rest/geofence/info
<https://geoserver1-spatial-dev.d4science.org/geoserver/rest/geofence/info>
USER admin
PWD geoserver
Since the jre seems to recognize the certificate (my test
successfully connects a retrieve content), my guess is that some
other configuration might be needed.
Thanks a lot for your help,
Fabio Sinibaldi
--
--- --- --- ---
Fabio Sinibaldi
CNR Istituto di Scienza e Tecnologie dell' Informazione A. Faedo
Area della Ricerca CNR
InfraScience Group http://nemis.isti.cnr.it/groups/infrascience
<http://nemis.isti.cnr.it/groups/infrascience>
Via G. Moruzzi, 1 – 56124 Pisa, Italy
Skype fabioisti
https://it.linkedin.com/in/fabio-sinibaldi-18779a18
<https://it.linkedin.com/in/fabio-sinibaldi-18779a18>
--- --- --- ---
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
--
--- --- --- ---
Fabio Sinibaldi
CNR Istituto di Scienza e Tecnologie dell' Informazione A. Faedo
Area della Ricerca CNR
InfraScience Group http://nemis.isti.cnr.it/groups/infrascience
Via G. Moruzzi, 1 – 56124 Pisa, Italy

Skype fabioisti
https://it.linkedin.com/in/fabio-sinibaldi-18779a18
--- --- --- ---
Loading...