Bug#779974: josm: invalid certificate (incomplete /etc/ssl/certs/java/cacert)
Hi Salvo Java Team, As reported in the #779974 josm is not working for Salvo because the tile.openstreetmap.org SSL certificates are not trusted. This is caused by the /etc/ssl/certs/java/cacert list being incomplete, it doesn't include the entries other systems with ca-certificates-java have. So far I've been unable to get Salvo to regenerate /etc/ssl/certs/java/cacert properly, as should be automatic by the jks-keystore ca-certificates update hook. Do you have any advise what we could try to get his Java cacerts fixed? We've already tried to import the certificates in the CA chain manually, although that shouldn't be required. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate (incomplete /etc/ssl/certs/java/cacert)
I tried using it today again. I've noticed that after I get the initial error asking me to configure a proxy, if I just hit cancel I can go on working normally. 2015-08-26 12:42 GMT+02:00 Sebastiaan Couwenberg sebas...@xs4all.nl: Hi Salvo Java Team, As reported in the #779974 josm is not working for Salvo because the tile.openstreetmap.org SSL certificates are not trusted. This is caused by the /etc/ssl/certs/java/cacert list being incomplete, it doesn't include the entries other systems with ca-certificates-java have. So far I've been unable to get Salvo to regenerate /etc/ssl/certs/java/cacert properly, as should be automatic by the jks-keystore ca-certificates update hook. Do you have any advise what we could try to get his Java cacerts fixed? We've already tried to import the certificates in the CA chain manually, although that shouldn't be required. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate (incomplete /etc/ssl/certs/java/cacert)
On 26-08-15 13:15, Salvo Tomaselli wrote: I tried using it today again. I've noticed that after I get the initial error asking me to configure a proxy, if I just hit cancel I can go on working normally. Shall we just close this bugreport, since a workaround is available? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
OK, let's add all the certificates in the CA chain. Start by saving the attached certificates in /tmp. Import certificate for: GeoTrust Global CA sudo keytool -v -importcert -trustcacerts -alias geotrust_global_ca \ -file /tmp/osm-tile-cert-2.crt \ -keystore /etc/ssl/certs/java/cacerts -storepass changeit Import certificate for: RapidSSL CA sudo keytool -v -importcert -trustcacerts -alias rapidssl_ca \ -file /tmp/osm-tile-cert-1.crt \ -keystore /etc/ssl/certs/java/cacerts -storepass changeit Import certificate for: *.tile.openstreetmap.org sudo keytool -v -importcert -trustcacerts \ -alias tile_openstreetmap_org \ -file /tmp/osm-tile-cert-0.crt \ -keystore /etc/ssl/certs/java/cacerts -storepass changeit You should now have the whole CA chain in the truststore. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 osm-tile-cert-0.crt Description: application/pkix-cert osm-tile-cert-1.crt Description: application/pkix-cert osm-tile-cert-2.crt Description: application/pkix-cert ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
In data mercoledì 22 aprile 2015 18:58:06, Sebastiaan Couwenberg ha scritto: On 04/22/2015 11:29 AM, Salvo Tomaselli wrote: In data martedì 21 aprile 2015 19:51:15, Sebastiaan Couwenberg ha scritto: On 04/21/2015 09:22 AM, Salvo Tomaselli wrote: aptitude update aptitude reinstall ca-certificates Tried this one, still same result in josm. Still only 11 certs in the Java cacerts keystore, this should be over 100. crappy webmail I was using. Do you have the Equifax_Secure_CA.crt installed? $ ls -l /etc/ssl/certs/Equifax_Secure_CA.pem /usr/share/ca- certificates/mozilla/Equifax_Secure_CA.crt So you have the CA cert, just not in the Java truststore. The update-ca-certificates hook should take care of this, but for some mysterious reason it doesn't import all certificates as it should. Can you check if the certificate is enabled in the configuration file? grep Equifax_Secure_CA /etc/ca-certificates.conf grep Equifax_Secure_CA /etc/ca-certificates.conf mozilla/Equifax_Secure_CA.crt I guess it is in there. Assuming it's enabled but still not picked up by the update-ca-certificates hook, you can manually import the certificate: sudo keytool -v -importcert -trustcacerts -alias equifax_secure_ca \ -file /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt \ -keystore /etc/ssl/certs/java/cacerts -storepass changeit Output attached, it asked me to write si to confirm to trust the certificate. josm is still telling me this, after doing that command sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Best -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ # keytool -v -importcert -trustcacerts -alias equifax_secure_ca -file /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt -keystore /etc/ssl/certs/java/cacerts -storepass changeit Proprietario: OU=Equifax Secure Certificate Authority, O=Equifax, C=US Autorità emittente: OU=Equifax Secure Certificate Authority, O=Equifax, C=US Numero di serie: 35def4cf Valido da: Sat Aug 22 18:41:51 CEST 1998 a: Wed Aug 22 18:41:51 CEST 2018 Impronte digitali certificato: MD5: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 SHA1: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A SHA256: 08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78 Nome algoritmo firma: SHA1withRSA Versione: 3 Estensioni: #1: ObjectId: 1.2.840.113533.7.65.0 Criticality=false : 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 0...V3.0c #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ : 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+G.# .O3 0010: 98 90 9F D4 ] ] #3: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US] ]] #5: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] #6: ObjectId: 2.5.29.16 Criticality=false PrivateKeyUsage: [ To: Wed Aug 22 18:41:51 CEST 2018] #7: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+G.# .O3 0010: 98 90 9F D4 ] ] Considerare sicuro questo certificato? [no]: y Risposta errata, riprovare Considerare sicuro questo certificato? [no]: si Il certificato è stato aggiunto al keystore [Memorizzazione di /etc/ssl/certs/java/cacerts] in corso ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On 04/22/2015 11:29 AM, Salvo Tomaselli wrote: In data martedì 21 aprile 2015 19:51:15, Sebastiaan Couwenberg ha scritto: On 04/21/2015 09:22 AM, Salvo Tomaselli wrote: aptitude update aptitude reinstall ca-certificates Tried this one, still same result in josm. Still only 11 certs in the Java cacerts keystore, this should be over 100. crappy webmail I was using. Do you have the Equifax_Secure_CA.crt installed? $ ls -l /etc/ssl/certs/Equifax_Secure_CA.pem /usr/share/ca- certificates/mozilla/Equifax_Secure_CA.crt So you have the CA cert, just not in the Java truststore. The update-ca-certificates hook should take care of this, but for some mysterious reason it doesn't import all certificates as it should. Can you check if the certificate is enabled in the configuration file? grep Equifax_Secure_CA /etc/ca-certificates.conf Assuming it's enabled but still not picked up by the update-ca-certificates hook, you can manually import the certificate: sudo keytool -v -importcert -trustcacerts -alias equifax_secure_ca \ -file /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt \ -keystore /etc/ssl/certs/java/cacerts -storepass changeit This manually import shouldn't be required, but I have no clue why your cacerts keystore is not populated by the tools as expected. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
In data martedì 21 aprile 2015 19:51:15, Sebastiaan Couwenberg ha scritto: On 04/21/2015 09:22 AM, Salvo Tomaselli wrote: aptitude update aptitude reinstall ca-certificates Tried this one, still same result in josm. Still only 11 certs in the Java cacerts keystore, this should be over 100. crappy webmail I was using. Do you have the Equifax_Secure_CA.crt installed? $ ls -l /etc/ssl/certs/Equifax_Secure_CA.pem /usr/share/ca- certificates/mozilla/Equifax_Secure_CA.crt lrwxrwxrwx 1 root root 56 ott 27 2011 /etc/ssl/certs/Equifax_Secure_CA.pem - /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt -rw-r--r-- 1 root root 1143 ott 20 2014 /usr/share/ca- certificates/mozilla/Equifax_Secure_CA.crt Yes it seems I have, and their diff is empty, so it's the same file. -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
aptitude update aptitude reinstall ca-certificates Tried this one, still same result in josm. Can you attach the output of the command to see which CAs are included? I had attached it already in the previous email. Now I'm attaching the new output after the reinstallation. -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ output.txt.gz Description: application/gzip ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On 04/21/2015 09:22 AM, Salvo Tomaselli wrote: aptitude update aptitude reinstall ca-certificates Tried this one, still same result in josm. Still only 11 certs in the Java cacerts keystore, this should be over 100. Can you attach the output of the command to see which CAs are included? I had attached it already in the previous email. Now I'm attaching the new output after the reinstallation. Thanks again for the output, I had overlooked your earlier copy in the crappy webmail I was using. Do you have the Equifax_Secure_CA.crt installed? You can check this as follows: ls -l /etc/ssl/certs/Equifax_Secure_CA.pem \ /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt The .pem file should be an update-ca-certificates created symlink to the actual file under /usr/share. If you have the file, but lack the symlink you can recreate the symlinks with: sudo update-ca-certificates --verbose --fresh If you lack the file itself, you can install the attached copy in /usr/local/share/ca-certificates and run update-ca-certificates. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 Equifax_Secure_CA.crt Description: application/pkix-cert ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Can you confirm that you've reinstalled the ca-certificates package? I've reinstalled using dpkg -i --force-confmiss but no luck. The certificate you look for is not in the output of keytool -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ Tipo keystore: JKS Provider keystore: SUN Il keystore contiene 11 voci Nome alias: debian:digicert_trusted_root_g4.pem Data di creazione: 7-ott-2014 Tipo di voce: trustedCertEntry Proprietario: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US Autorità emittente: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US Numero di serie: 59b1b579e8e2132e23907bda55c Valido da: Thu Aug 01 14:00:00 CEST 2013 a: Fri Jan 15 13:00:00 CET 2038 Impronte digitali certificato: MD5: 78:F2:FC:AA:60:1F:2F:B4:EB:C9:37:BA:53:2E:75:49 SHA1: DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4 SHA256: 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88 Nome algoritmo firma: SHA384withRSA Versione: 3 Estensioni: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : EC D7 E3 82 D2 71 5D 64 4C DF 2E 67 3F E7 BA 98 .q]dL..g?... 0010: AE 1C 0F 4F...O ] ] *** *** Nome alias: debian:digicert_assured_id_root_g3.pem Data di creazione: 7-ott-2014 Tipo di voce: trustedCertEntry Proprietario: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US Autorità emittente: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US Numero di serie: ba15afa1ddfa0b54944afcd24a06cec Valido da: Thu Aug 01 14:00:00 CEST 2013 a: Fri Jan 15 13:00:00 CET 2038 Impronte digitali certificato: MD5: 7C:7F:65:31:0C:81:DF:8D:BA:3E:99:E2:5C:AD:6E:FB SHA1: F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89 SHA256: 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2 Nome algoritmo firma: SHA384withECDSA Versione: 3 Estensioni: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : CB D0 BD A9 E1 98 05 51 A1 4D 37 A2 83 79 CE 8D ...Q.M7..y.. 0010: 1D 2A E4 84.*.. ] ] *** *** Nome alias: debian:quovadis_root_ca_2_g3.pem Data di creazione: 7-ott-2014 Tipo di voce: trustedCertEntry Proprietario: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM Autorità emittente: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM Numero di serie: 445734245b81899b35f2ceb82b3b5ba726f07528 Valido da: Thu Jan 12 19:59:32 CET 2012 a: Sun Jan 12 19:59:32 CET 2042 Impronte digitali certificato: MD5: AF:0C:86:6E:BF:40:2D:7F:0B:3E:12:50:BA:12:3D:06 SHA1: 09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36 SHA256: 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40 Nome algoritmo firma: SHA256withRSA Versione: 3 Estensioni: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : ED E7 6F 76 5A BF 60 EC 49 5B C6 A5 77 BB 72 16 ..ovZ.`.I[..w.r. 0010: 71 9B C4 3Dq..= ] ] *** *** Nome alias: debian:digicert_assured_id_root_g2.pem Data di creazione: 7-ott-2014 Tipo di voce: trustedCertEntry Proprietario: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US Autorità emittente: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US Numero di serie: b931c3ad63967ea6723bfc3af9af44b Valido da: Thu Aug 01 14:00:00 CEST 2013 a: Fri Jan 15 13:00:00 CET 2038 Impronte digitali certificato: MD5: 92:38:B9:F8:63:24:82:65:2C:57:33:E6:FE:81:8F:9D SHA1: A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F SHA256:
Bug#779974: josm: invalid certificate
Can you confirm that you've reinstalled the ca-certificates package? I've reinstalled using dpkg -i --force-confmiss but no luck. That doesn't download a new archive, try: aptitude update aptitude reinstall ca-certificates or: apt-get update apt-get install --reinstall ca-certificates The certificate you look for is not in the output of keytool Can you attach the output of the command to see which CAs are included? Kind Regards, Bas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On 04/13/2015 05:47 PM, Salvo Tomaselli wrote: sudo update-ca-certificates --verbose Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d done. done. Clearly no new certificates are added. ls -l /etc/ssl/certs/java/cacerts -rw-r--r-- 1 root root 11940 apr 13 17:45 /etc/ssl/certs/java/cacerts Same problem seems to be occurring tho. On a Debian unstable VM without customizations the cacerts file is 207196, about half the size of my Debian unstable workstation, but still significantly larger than yours. Try reconfiguring the ca-certificates package and enable at least the COMODO/Comodo certificates because those are used for *.tile.openstreetmap.org: sudo dpkg-reconfigure ca-certificates I suspect you chose not to add new certificates automatically causing the new Comodo CA certificate to be missing. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On a Debian unstable VM without customizations the cacerts file is 207196, about half the size of my Debian unstable workstation, but still significantly larger than yours. Try reconfiguring the ca-certificates package and enable at least the COMODO/Comodo certificates because those are used for *.tile.openstreetmap.org: I only have Mozilla/Comodo, no COMODO/Comodo. And they were already enabled. It seems I have some weird certificate problem. Perhaps I should just try to reinstall the package? -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On 04/13/2015 09:01 PM, Salvo Tomaselli wrote: On a Debian unstable VM without customizations the cacerts file is 207196, about half the size of my Debian unstable workstation, but still significantly larger than yours. Try reconfiguring the ca-certificates package and enable at least the COMODO/Comodo certificates because those are used for *.tile.openstreetmap.org: I only have Mozilla/Comodo, no COMODO/Comodo. And they were already enabled. Most entries start with mozilla/, I only meant the two different capitalizations of the name. It seems I have some weird certificate problem. Perhaps I should just try to reinstall the package? Reinstalling the ca-certificates package shouldn't hurt to try. Can you also check the contents of your keystore? keytool -v -list -keystore /etc/ssl/certs/java/cacerts \ -storepass changeit | less You should have an entry with an alias like equifax_secure_ca with: Certificate fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A This is the root CA for the OSM tile server SSL certificate chain. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Sorry, I just forgot to followup. The issue is still there. I will try later today to do some more experiments. On 10/04/2015 22:59, Sebastiaan Couwenberg wrote: Hi Salvo, Can I conclude from your lack of response that the issue has been resolved? Kind Regards, Bas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Thanks for the tile server info. c.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org. tile.geo.openstreetmap.org is an alias for se.tile.openstreetmap.org. se.tile.openstreetmap.org is an alias for oslo.tile.openstreetmap.org. oslo.tile.openstreetmap.org has address 31.169.50.10 The SSL certificate configured on oslo.tile.openstreetmap.org (ridgeback) is in order like the other mirrors. Does you browser generate any warnings when you access the tile directly? https://oslo.tile.openstreetmap.org/10/555/396.png I'm starting to suspect there is proxy on your local network or a transparent proxy on the network of your ISP that intercepts the tile requests. Another option is horribly outdated cacerts for Java, this should be a symlink to /etc/ssl/certs/java/cacerts which gets updated by update-ca-certificates if you have not disabled this in /etc/default/cacerts. Which JRE do you use with josm (it logs this on the console if you start josm from a terminal)? Kind Regards, Bas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
$ for f in {a,b,c}.tile.openstreetmap.org; do host $f echo; done
a.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for se.tile.openstreetmap.org.
se.tile.openstreetmap.org is an alias for oslo.tile.openstreetmap.org.
oslo.tile.openstreetmap.org has address 31.169.50.10
b.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for se.tile.openstreetmap.org.
se.tile.openstreetmap.org is an alias for oslo.tile.openstreetmap.org.
oslo.tile.openstreetmap.org has address 31.169.50.10
c.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for se.tile.openstreetmap.org.
se.tile.openstreetmap.org is an alias for oslo.tile.openstreetmap.org.
oslo.tile.openstreetmap.org has address 31.169.50.10
--
Salvo Tomaselli
Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno.
-- Galileo Galilei
http://ltworf.github.io/ltworf/
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
sudo update-ca-certificates --verbose Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d done. done. ls -l /etc/ssl/certs/java/cacerts -rw-r--r-- 1 root root 11940 apr 13 17:45 /etc/ssl/certs/java/cacerts Same problem seems to be occurring tho. -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Does you browser generate any warnings when you access the tile directly? No. It loads without problems. Good. I'm starting to suspect there is proxy on your local network or a transparent proxy on the network of your ISP that intercepts the tile Hm, Wouldn't that give me problems with loading from the browser as well? Also, I'm using an exceptionally good connection. A proxy run by your ISP should also cause the problem in your browser. Another option is horribly outdated cacerts for Java, this should be a symlink to /etc/ssl/certs/java/cacerts How can I check for that? I suppose it can be the case. To check the files themselves: ls -l /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts ls -l /etc/ssl/certs/java/cacerts To check the cacerts defaults: sudo cat /etc/default/cacerts To check the update-ca-certificates hook that generates the cacerts file for Java: ls -l /etc/ca-certificates/update.d/jks-keystore Which JRE do you use with josm (it logs this on the console if you start josm from a terminal)? Using /usr/lib/jvm/java-7-openjdk-amd64/bin/java to execute josm. Do you have other JVMs installed? You can list them with: ls -l /usr/lib/jvm/ Do you have other Java customizations like exporting JAVA_HOME in a profile.d configuration? Kind Regards, Bas ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
ls -l /etc/ssl/certs/java/cacerts -rw-r--r-- 1 root root 11940 ott 20 18:56 /etc/ssl/certs/java/cacerts Yours is very small, mine is 413593 bytes. Try updating the cacerts file by running: sudo update-ca-certificates --verbose Then check the cacerts file again with: ls -l /etc/ssl/certs/java/cacerts ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Does you browser generate any warnings when you access the tile directly? No. It loads without problems. I'm starting to suspect there is proxy on your local network or a transparent proxy on the network of your ISP that intercepts the tile Hm, Wouldn't that give me problems with loading from the browser as well? Also, I'm using an exceptionally good connection. Another option is horribly outdated cacerts for Java, this should be a symlink to /etc/ssl/certs/java/cacerts How can I check for that? I suppose it can be the case. Which JRE do you use with josm (it logs this on the console if you start josm from a terminal)? Using /usr/lib/jvm/java-7-openjdk-amd64/bin/java to execute josm. Best -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
To check the files themselves: ls -l /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts lrwxrwxrwx 1 root root 27 mar 13 07:22 /usr/lib/jvm/java-7-openjdk- amd64/jre/lib/security/cacerts - /etc/ssl/certs/java/cacerts ls -l /etc/ssl/certs/java/cacerts -rw-r--r-- 1 root root 11940 ott 20 18:56 /etc/ssl/certs/java/cacerts sudo cat /etc/default/cacerts # defaults for ca-certificates-java # The password which is used to protect the integrity of the keystore. # storepass must be at least 6 characters long. It must be provided to # all commands that access the keystore contents. # Only change this if adding private certificates. #storepass='' # enable/disable updates of the keystore /etc/ssl/certs/java/cacerts cacerts_updates=yes ls -l /etc/ca-certificates/update.d/jks-keystore -rwxr-xr-x 1 root root 2336 mar 25 2014 /etc/ca-certificates/update.d/jks- keystore Do you have other JVMs installed? I suppose I do :-) ls -l /usr/lib/jvm/ totale 8 lrwxrwxrwx 1 root root 24 mag 6 2014 default-java - java-1.7.0-openjdk- amd64 lrwxrwxrwx 1 root root 20 lug 26 2014 java-1.7.0-openjdk-amd64 - java-7- openjdk-amd64 drwxr-xr-x 5 root root 4096 mar 25 10:37 java-6-openjdk-amd64 drwxr-xr-x 7 root root 4096 mar 14 09:45 java-7-openjdk-amd64 Do you have other Java customizations like exporting JAVA_HOME in a profile.d configuration? JAVA_HOME is not set here and in /etc/profile.d i only have bash_completion.sh Best -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Hi Salvo, Can I conclude from your lack of response that the issue has been resolved? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
On 03/08/2015 07:01 PM, Salvo Tomaselli wrote:
tried with the experimental version as well and it has the same problem.
On the GUI it will ask me to check for proxy settings and in the selector to
decide which area I want to edit, all the images will be missing.
OK, let's find out which servers you're using.
What do the tile server URLs resolve to on your end?
$ for f in {a,b,c}.tile.openstreetmap.org; do host $f echo; done
a.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for nl.tile.openstreetmap.org.
nl.tile.openstreetmap.org is an alias for amsterdam.tile.openstreetmap.org.
amsterdam.tile.openstreetmap.org has address 134.90.146.26
b.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for nl.tile.openstreetmap.org.
nl.tile.openstreetmap.org is an alias for amsterdam.tile.openstreetmap.org.
amsterdam.tile.openstreetmap.org has address 134.90.146.26
c.tile.openstreetmap.org is an alias for tile.geo.openstreetmap.org.
tile.geo.openstreetmap.org is an alias for nl.tile.openstreetmap.org.
nl.tile.openstreetmap.org is an alias for amsterdam.tile.openstreetmap.org.
amsterdam.tile.openstreetmap.org has address 134.90.146.26
So I'm using the trogdor caching tile server hosting in Amsterdam, since
there is no server in Italy I'm no sure which one you get.
Can you send the output for the host loop above?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Hello, tried with the experimental version as well and it has the same problem. On the GUI it will ask me to check for proxy settings and in the selector to decide which area I want to edit, all the images will be missing. Best -- Salvo Tomaselli Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno. -- Galileo Galilei http://ltworf.github.io/ltworf/ ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Control: tags -1 unreproducible Hi Salvo, Thanks for reporting this issue. On 03/07/2015 10:45 AM, Salvo Tomaselli wrote: Package: josm Version: 0.0.svn7643+dfsg1-1 It may be worthwhile to upgrade to JOSM 8109 available in experimental. apparently there is an expired certificate. Failed loading https://c.tile.openstreetmap.org/10/555/396.png: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target and josm is completely useless as a result. The certificate for the tile you mentioned is valid until 10/19/2017 when I checked it just now. Can you try again? Maybe the OSM admins have changed the certificates in the mean time. Or the problem could be limited to a subset of the geographically distributed tile servers. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Processed: Re: Bug#779974: josm: invalid certificate
Processing control commands: tags -1 unreproducible Bug #779974 [josm] josm: invalid certificate Added tag(s) unreproducible. -- 779974: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Control: notfound -1 josm/0.0.svn7643+dfsg1-1 Control: severity -1 normal Hi Salvo, I also cannot reproduce the issue with the JOSM version in jessie sid. Since the SSL certificates are an issue on the server side, not in JOSM itself, this is not a bug in the package. You can edit the tile URLs in the Preferences to use HTTP instead of HTTPS, so the grave severity is not justified. Please let us know if the issues has been resolved on your end too. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Processed: Re: Bug#779974: josm: invalid certificate
Processing control commands: notfound -1 josm/0.0.svn7643+dfsg1-1 Bug #779974 [josm] josm: invalid certificate No longer marked as found in versions josm/0.0.svn7643+dfsg1-1. severity -1 normal Bug #779974 [josm] josm: invalid certificate Severity set to 'normal' from 'grave' -- 779974: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779974 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#779974: josm: invalid certificate
Package: josm Version: 0.0.svn7643+dfsg1-1 Severity: grave Justification: renders package unusable Dear Maintainer, apparently there is an expired certificate. Failed loading https://c.tile.openstreetmap.org/10/555/396.png: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target and josm is completely useless as a result. Best -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.18.7a (SMP w/4 CPU cores; PREEMPT) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages josm depends on: ii ant 1.9.4-3 ii default-jre 2:1.7-52 ii fonts-droid 1:4.4.4r2-6 ii jmapviewer 1.03+dfsg-2 ii libandroid-json-org-java 20121204-20090211-1 ii libcommons-codec-java1.9-1 ii libgettext-commons-java 0.9.6-2 ii libmetadata-extractor-java 2.6.4-2 ii liboauth-signpost-java 1.2.1.2-1.2 ii libsvgsalamander-java0~svn95-1 ii openstreetmap-map-icons-classic 1:0.0.svn30763-1 Versions of packages josm recommends: pn josm-l10nnone pn josm-plugins none ii webkit-image-qt 0.0.svn25399-3 josm suggests no packages. -- no debconf information ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
