Opened 14 years ago

Closed 12 years ago

#3070 closed defect (fixed)

Set up MapServer as a client to access a secure WMS/WFS server

Reported by: nsavard Owned by: jmckenna
Priority: normal Milestone: 5.6 release
Component: Documentation - MapServer Version: 5.4
Severity: normal Keywords: wms, wfs, secure connection, client, server, ssl, curl
Cc: jmckenna, dmorissette, havatv

Description (last modified by dmorissette)

This ticket is about documenting the steps to set up MapServer as a client to access a remote WXS server over https. This information could be added to the relevant documentation section.

Change History (3)

comment:1 by dmorissette, 14 years ago

Description: modified (diff)
Summary: Client set up to access a secure WXS serverClient set up to access a secure WXS server with MapServer

comment:2 by nsavard, 14 years ago

Summary: Client set up to access a secure WXS server with MapServerSet up MapServer as a client to access a secure WMS/WFS server

The text below could be seen as a draft to the documentation on how to set up MapServer as a client to access a WMS/WFS server through a secure SSL connection using the HTTPS protocole. It describes the common errors a user could be confronted to and what are the solutions to them.

It is the editor's responsibilities to present this documentation in the best format proper to be published for user understanding.

INTRODUCTION

The following documentation is to explain how to set up MapServer as a client to access a WMS/WFS server through a secure SSL connection using the HTTPS protocole. It describes the common errors a user could met and what are the solutions to them.

REQUIREMENTS

MapServer 5.4.1 and up, compiled with Curl, Curl must be built with SSL support

STANDARD INSTALLATION (with apt-get install, rpm, manual, etc)

The Curl CA bundle file should be located in the standard directory.

Verify your connection with the Curl command line: curl https://targethostname:port/gmap-demo/gmap75.phtml

Edit your map file to add the WMS connection URL for example: 

 CONNECTION "https://domainname:port/cgi-bin/mapserv?map=/path/to/gmap/htdocs/gmap75_wms.map"
 CONNECTIONTYPE WMS

If the layer is displayed correctly you do not need to read further on.

NONE STANDARD INSTALLATION (commonly within ms4w and fgs)

If you got the following error it means that your CA bundle is not found. It may be caused by the CURL_CA_BUNDLE environment variable pointing out to the wrong location or the CA bundle file not beeing present. Follow the steps below to correct either case. 

curl https://localhost:port/gmap-demo/gmap75.phtml
curl: (77) error setting certificate verify locations:
 CAfile: /home/nsavard/fgsfull/share/curl/cacert.pem
 CApath: none

Set the CURL_CA_BUNDLE environment variable to point out to the bundle file (e.g. export CURL_CA_BUNDLE=/path/to/my-ca-bundle.ext where my-ca-bundle.ext could be cacert.pem or ca-bundle.crt)

Download the CA bundle file "cacert.pem" found at http://curl.haxx.se/docs/caextract.html or if you have the Curl source you could create the CA bundle by executing "make ca-bundle" or "make ca-firefox" (if you have Firefox and the certutil tool installed). If you used the second choice, the bundle file will be named ca-bundle.crt and will be found in the lib directory under Curl root directory. See http://curl.haxx.se/docs/caextract.html for more details. Store this file in the location pointed out by URL_CA_BUNDLE environment variable.

Verify your connection with the Curl command line: 

curl https://targethostname:port/gmap-demo/gmap75.phtml

Note:

If you use ms4w, osgeo4w or fgs installation, these installers are taking care of this problem for you.

REMOTE SERVER WITH A SELF-SIGNED SSL CERTIFICATE

If you got the following error it means that your remote server is probably a self-signed SSL certificate and the server certificate is not included in your CA bundle file. 

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

To get the remote server certificate you have to execute this command: 

openssl s_client -connect domainname:port

Copy all from "-----BEGIN CERTIFICATE-----" tag to "-----END CERTIFICATE-----" tag. Paste it at the end of the my-ca-bundle.ext file.

Verify your connection with the Curl command line: 

curl https://targethostname:port/gmap-demo/gmap75.phtml

NOTE:

If you got the following error, it means that the domain name in the URL request is not corresponding to the one that was declared when creating the remote server certificate. 

curl: (51) SSL: certificate subject name 'domainname' does not match target host name 'domainname'

You have to use the exact same domain name as the one appearing in the "Common Name" prompt used when generating the remote server certificate. You cannot use the remote server ip for instance. It means that the following URL is not acceptable. 

   CONNECTION
   "https://xxx.xxx.xxx.xxx:port/cgi-bin/mapserv?map=/path/to/gmap/htdocs/gmap75_wms.map"
   CONNECTIONTYPE WMS

comment:3 by havatv, 12 years ago

Cc: havatv added
Resolution: fixed
Status: newclosed

Added (en/ogc/wxs_secure http://www.mapserver.org/ogc/wxs_secure.html) to trunk and 6.0 documentation in r12522. I don't have access to services over https, so it would be great if someone could test.

Note: See TracTickets for help on using tickets.