Tiles server in https only

[tybern]

Hello,

And first, Happy New Year !

Well... I have a new problem with a tiles server, which since a few days accepts only requests to "https" address now.
So, I have a userservers.xml file, which works fine previously, I changed "http" for "https" in URLs, but it don't works...

My question : is RC works with SSL/TLS only tiles servers ? And where to put certificates if needed ?

Best regards

[routeconverter]

Well... I have a new problem with a tiles server, which since a few days accepts only requests to "https" address now.
So, I have a userservers.xml file, which works fine previously, I changed "http" for "https" in URLs, but it don't works...

Please give an example. In the past I had to change a lot of tile server protocols to https since they don't support http anymore and there are problems with redirects from http to https.

My question : is RC works with SSL/TLS only tiles servers ?

Not that I'm aware of.

And where to put certificates if needed ?

The CA root certificates should be part of the Java VM already.

[tybern]

Please give an example. In the past I had to change a lot of tile server protocols to https since they don't support http anymore and there are problems with redirects from http to https.

 
So, here is one :

Code:

<mapServer id="IGN Topo" name="IGN Topo 25" minZoom="2" maxZoom="18">
    <host>wxs.ign.fr</host>
    <urlPattern>https://#{host}/choisirgeoportail/wmts?SERVICE=WMTS&amp;VERSION=1.0.0&amp;REQUEST=GetTile&amp;LAYER=GEOGRAPHICALGRIDSYSTEMS.MAPS&amp;STYLE=normal&amp;FORMAT=image/jpeg&amp;TILEMATRIXSET=PM&amp;TILEMATRIX=#{zoom}&amp;TILEROW=#{tiley}&amp;TILECOL=#{tilex}.jpg</urlPattern>
    <copyright>IGN</copyright>
</mapServer>

Any idea to solve the problem ?

[routeconverter]

Any idea to solve the problem ?

Correct the URL pattern. Your example makes requests to

https://wxs.ign.fr/choisirgeoportail/wmt...L=8641.jpg

and the server there answers

Code:

<ExceptionReport xmlns="http://www.opengis.net/ows/1.1">
<Exception exceptionCode="Not Found"> Aucune donnée </Exception>
</ExceptionReport>

[routeconverter]

When I go to

https://www.geoportail.gouv.fr/carte

then the tiles are downloaded from

https://wxs.ign.fr/an7nvfzojv5wa96dsga5n...&TileRow=2

And that an7nvfzojv5wa96dsga5nk8w seems to be a key. Looks like they took some measures that URLs cannot be calculated that easily...

[tybern]

"Correct the URL pattern. Your example makes requests to"

But it works beforer... excepts the "s" of https...

"And that an7nvfzojv5wa96dsga5nk8w"

It is the key for the Geoportail site.
The key "choisirgeoportail" I used is a test key, valid !

And I'm using two other apps which works fine with same access (MOBAC and Locus Map) : the problem is for me only with RC, and only since the tile server works only in https.

[tybern]

So, some tests :

Here is the xml code for this test :

Code:

<mapServer id="IGN Test" name="IGN Test" minZoom="2" maxZoom="18">
<urlPattern>http://wxs.ign.fr/choisirgeoportail/wmts?REQUEST=GetTile&amp;SERVICE=WMTS&amp;VERSION=1.0.0&amp;TILEMATRIXSET=PM&amp;LAYER=GEOGRAPHICALGRIDSYSTEMS.MAPS&amp;STYLE=normal&amp;FORMAT=image/jpeg&amp;TILECOL=#{tilex}&amp;TILEROW=#{tiley}&amp;TILEMATRIX=#{zoom}</urlPattern>
<copyright>IGN</copyright>
</mapServer>

And here is an IP analyzer (Wireshark) capture (request and response) :

Code:

GET /choisirgeoportail/wmts?REQUEST=GetTile&SERVICE=WMTS&VERSION=1.0.0&TILEMATRIXSET=PM&LAYER=GEOGRAPHICALGRIDSYSTEMS.MAPS&STYLE=normal&FORMAT=image/jpeg&TILECOL=4125&TILEROW=2821&TILEMATRIX=13 HTTP/1.1
User-Agent: RouteConverter Map Client/2.27
Host: wxs.ign.fr
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://wxs.ign.fr/choisirgeoportail/wmts?REQUEST=GetTile&SERVICE=WMTS&VERSION=1.0.0&TILEMATRIXSET=PM&LAYER=GEOGRAPHICALGRIDSYSTEMS.MAPS&STYLE=normal&FORMAT=image/jpeg&TILECOL=4125&TILEROW=2821&TILEMATRIX=13

The request is not satisfied, because done in "http", and an http-301 is returned. 
RC don't display anything.
If I enter the new location in my Web browser, it works.

If I replace "http" by "https" in the XML code, it don't works in RC.
But unable to log IP stream, it is cyphered now...

So, for me, it's a problem in RC and because of SSL only connection.

Best regards

[tybern]

Me again...

Here is a thread about this problem with IGN in MOBAC forum :

https://sourceforge.net/p/mobac/forum/ge...#32da/84ba

The problem is that the root CA is not in the trust store of Java Run Time.
There is a workaround proposed in this thread, but don't know if it is transposable to RC, and if yes, how to proceed...

Best regards

[tybern]

My progress...

The root CA needed by IGN certificate is "Certigna", which is not present in Java JRE cacerts.

I've included the root CA certificate of Certigna in Java cacerts.

If I run RouteConverter for macOS, it don't works again...
BUT, if in run Linux version of RC under macOS (with java -jar RouteConverterLinux.jar), it works !

So, I supposed is it because the cacerts used by RouteConverterMacOpenSource.app is in app, not in /Library/... and yes, it is.

I imported the Certigna root CA certificate in the cacerts file included in the app, and...
 ... it works now !

So the conclusion : it is necessary and sufficient to import the Certigna root CA certificate in the trust store of the Java JRE.
For the macOS version, the trust store is included in app, so, I can do it only "manually", but I'm sure you can do it definitively for me ... ! 

Best regards

[routeconverter]

If I run RouteConverter for macOS, it don't works again...
BUT, if in run Linux version of RC under macOS (with java -jar RouteConverterLinux.jar), it works !

Great!

So, I supposed is it because the cacerts used by RouteConverterMacOpenSource.app is in app, not in /Library/... and yes, it is.

You're right. The old applauncher approach didn't work with macOS 10.14 and later, so I've switch to a new one based on jpackage which means the RouteConverterMacOpenSource.app contains a prerelease of JRE 14.

I imported the Certigna root CA certificate in the cacerts file included in the app, and...
 ... it works now !

How do you do that? Could you provide all the necessary files and command lines?

So the conclusion : it is necessary and sufficient to import the Certigna root CA certificate in the trust store of the Java JRE.
For the macOS version, the trust store is included in app, so, I can do it only "manually", but I'm sure you can do it definitively for me ... ! 

I'll try if you make it easy for me ;-)