Tiles server in https only

[routeconverter]

Is the certificate from here: https://www.tbs-certificates.co.uk/FAQ/e...tigna.html ?

[tybern]

Is the certificate from here: https://www.tbs-certificates.co.uk/FAQ/e...tigna.html ?

Hmmm... no, it seems it is not this one, not same signature...

I used this very cool app to update the cacerts file : https://keystore-explorer.org (just discovered it to do that, very very useful app !)

With it, I opened the cacerts file (standard password "changit"), and then :
Top menu > examine > examine TLS connection
Host TLS : wxs.ign.fr (443) > OK, kept the root CA (Certigna Services CA) : Import > OK

That's all...

Best regards

PS : I promise, in my future life, I'll become a Java developer to help you...  

[routeconverter]

I've just uploaded a new prerelease which on macOS contains a cacerts file where I've added the Certigna root certificate. And I've added the IGN map to the default maps.

Please test and report.

[tybern]

Hello

I've just uploaded a new prerelease which on macOS contains a cacerts file where I've added the Certigna root certificate. 

Yes, it works fine ! Thank you !

 And I've added the IGN map to the default maps.

Hmmm... I don't think it's a good idea... 
The used key (choisirgeoportail) is a test key, not secret, but normally, must be used only for test purpose (IGN said that in case of abuse with this key, they will suppress it...).
For my own usage, I have a private key. I gave you the test key because my private one's can works only on my macbook.
If somebody wants to access IGN maps for it's own usage, it must ask IGN for a private key (it is free till 2.000.000 tiles a year).

So, not sure it's a good idea to give access to IGN topo maps in your standard distribution. 
Surely IGN will ask you to remove it one day...

Best regards,

[routeconverter]

The used key (choisirgeoportail) is a test key, not secret, but normally, must be used only for test purpose (IGN said that in case of abuse with this key, they will suppress it...).

Deactivated it again

[CharlyRC]

Gutten Abend

A small update here on the IGN services.

I think since 2020 they change their access politics : It is now freely available.
This page says it : https://geoservices.ign.fr/services-web-essentiels (only in French I'm afraid)

Avec les URL prêtes à l'emploi ou avec la clé essentiels, accédez à nos principaux services web, de façon gratuite et sans inscription, dans votre site web ou dans l'application de votre choix.

In English :

With the ready-to-use URL or with the essentiels key, access our main web services, freely, without subscribtion, in your web site or application of yours.

Check the "geoservices" page above for technical details. If you need help for translation, I can do that at least (but no java coding, I'm a GIS user).

Thanks

Charly

[CharlyRC]

Gutten Tag

I was testing some https tile servers configurations, watching the protocols with fiddler software. Fiddler is not perfect since it cannot decode the https transaction (this is why https is implemented ).

I was surprise to see that all requests are using HTTP protocol, although on port 443 and using SSL, when other apps (such as ITNconv) are using HTTPS instead.

I also realize that some of the https tile servers configured are not functioning in RC.
The following servers fail to display tiles in RC :

• HikeBikeMap :
  Their SSL certificates is issued for wma.wmcloud.org and is used for tiles.wmcloud.org. This is not the same name, thus the problem.
  
  
• IGN :
  according to the previous messages in this topic the certification authority is not declared in the Java CACERT library. I extracted the CA from my Firefox browser, put it in the standard Windows certificates store => no improvement.
  Tried the same on a Linux machine (Mint/Ubuntu) : the Java CACERT is a symbolic link to the Linux CACERT, I added the Certigna CA as well => no improvement.
  

My recipe to install the certificate :

1. extract the "Certigna Root CA" certificate CRT file from your browser.
   
2. then run the following command (adapt the file path according to your system).
   under Windows (use a command line window with admin priviledge) : I identified that RC used JRE1.8 (in C:\Program Files\Java\jre-1.8) with cacerts in lib\security\cacerts under the JRE main directory.
   
   Code:

   Linux :
keytool -import -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -alias CertignaRootCA -file ./CertignaRootCA.crt
Windows :
C:\Program Files\Java\jre-1.8>bin\keytool.exe -import -keystore lib\security\cacerts -storepass changeit -alias CertignaRootCA -file C:\Downloads\CertignaRootCA.crt
   
   

I checked the JAVA cacerts to be sure I have the new certificate (note that the "Certigna" certificate is already there) :

Code:

echo 'changeit' | keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep 'Owner:'

(change the file path according to your system)

I have :
Owner: CN=Certigna, O=Dhimyotis, C=FR
Owner: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

But still no success on both Linux and Windows.

I also add this certificates in the OS keystores... but to no avail.


There must be something else. Is there a DEBUG MODE for RC ? In order to have verbose log file and the like ?

Vielen Grüssen

Charly
PS : I'll be off for the next 4 days, be back on monday evening...

[CharlyRC]

Additional note : the "basic" (no Root CA) Certigna certificate is already in the Java cacerts.

[routeconverter]

There must be something else. Is there a DEBUG MODE for RC ? In order to have verbose log file and the like ?

I'm starting RouteConverter in IntelliJ IDEA in Debug mode and put a breakpoint to TileServerMapSource#getTileUrl