Hi, Try to study one problem at a time. You wrote: "This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl". That's not accurate, so far you only know "This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl when MS is run as fast-cgi on IIS and it tries to read a remote SLD file ".
I would install ms4w with ca-bundle in a known place and try if it is possible to use the SLD then via cgi. If it works I would know that it is possible. Next I would have a try with fast-cgi. If it still works I would know that I only need to make it to work with IIS. Myself I have only struggled with self-signed certificates when cascading WMS servers. I know how to make that work but I would not blindly trust that SLDs behave in a similar way but I would make a quick test first. -Jukka Rahkonen- Lähettäjä: [email protected] [mailto:[email protected]] Lähetetty: 6. helmikuuta 2014 10:54 Vastaanottaja: Rahkonen Jukka (Tike); [email protected] Aihe: RE: [mapserver-users] Make MapServer trust self-signed certificate on Windows Thanks Jukka, but we are using IIS 7.5 server and MapServer runs through FastCGI. Robertas From: Rahkonen Jukka (Tike) [mailto:[email protected]] Sent: Thursday, February 06, 2014 10:13 AM To: Robertas Kerpys; '[email protected]' Subject: Re: [mapserver-users] Make MapServer trust self-signed certificate on Windows Hi, I seem to have this setting done in Apache's httpd.conf file as SetEnv CURL_CA_BUNDLE "d:/Program Files/ms4w/Apache/conf/ca-bundle/cacert.pem" Check if that works better, or if there happens to be a line already overriding your system wide setting. -Jukka Rahkonen- [email protected]<mailto:[email protected]> wrote: Hi Folks, I want to access MapServer SLD resource via secure connection. I've set up SSL on IIS for my web site successfully using a self-signed certificate. Then I added self-signed certificate into a curl-ca-bundle.crt certificate file and set CURL_CA_BUNDLE system level environment variable pointing to curl-ca-bundle.crt file. Aforementioned steps are covered in the following resources: § How to set up MapServer as a client to access a service over https<http://mapserver.org/ogc/wxs_secure.html> § MapServer with OpenSSL support<http://blog.gisinternals.com/2010/12/daily-built-binary-packages-for.html> Unfortunately this configuration does not work and curl throws invalid certificate exception when accessing the following URL: https://domain/cgi-bin/mapserv.exe?map=name1.map&LAYERS=SPECIFICLAYER&TRANSPARENT=TRUE&SLD=https%3A%2F%2Fdomain%2Fcgi-bin%2F%2Fsld.xml&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap <?xml version='1.0' encoding="ISO-8859-1" standalone="no" ?> <!DOCTYPE ServiceExceptionReport SYSTEM "http://schemas.opengis.net/wms/1.1.1/exception_1_1_1.dtd";> <ServiceExceptionReport version="1.1.1"> <ServiceException> msSLDApplySLDURL: WMS server error. Could not open SLD https://domain/cgi-bin//sld.xml<https://domain/cgi-bin/sld.xml> and save it in temporary file C:\Windows\TEMP\52f0d577_1380_0.sld.xml. Please make sure that the sld url is valid and that the temporary path is set. The temporary path can be defined for example by setting TMPPATH in the map file. Please check the MapServer documentation on temporary path settings. msHTTPExecuteRequests(): HTTP request error. HTTP: request failed with curl error code 60 (SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) for https://domain/cgi-bin//sld.xml<https://domain/cgi-bin/sld.xml> </ServiceException> </ServiceExceptionReport> If curl is used separately it doesn't throw the certificate exception when used with the same curl-ca-bundle.crt file. This suggests that MapServer does not take into account CURL_CA_BUNDLE environment path and does not pass it to libcurl. But according to MapServer code<https://github.com/mapserver/mapserver/blob/7f3e75cbc277b19774dc7030b76b92985f9690c6/maphttp.c> it should check for CURL_CA_BUNDLE environment variable and if set use it for cURL. However this doesn't seem to be the case. I even restarted my server for IIS process to pick up new environment variables: http://geographika.co.uk/reboot-to-refresh-environment-variables Am I missing something? Thanks, Robertas
_______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
