Bug report #16462
QGIS Server lost the ability to cascade WMS layers published using HTTPS
| Status: | Closed | ||
|---|---|---|---|
| Priority: | High | ||
| Assignee: | - | ||
| Category: | QGIS Server | ||
| Affected QGIS version: | 2.18.17 | Regression?: | Yes |
| Operating System: | Easy fix?: | No | |
| Pull Request or Patch supplied: | No | Resolution: | duplicate |
| Crashes QGIS or corrupts data: | No | Copied to github as #: | 24371 |
Description
At some point (likely in qgis 2.14 point release) QGIS projects containing an external WMS layer (possibly affected also WFS) published using HTTPS stopped to cascade correctly that layers when publishing the project with QGIS Server.
I tested the bug using the latest available versions of QGIS server 2.14 and 2.18, while using a QGIS Server 2.8.8 instance it works ok.
Related issues
History
#1
Updated by Giovanni Manghi about 7 years ago
- Subject changed from QGIS Server lost the hability to cascade WMS layers published using HTTPS to QGIS Server lost the ability to cascade WMS layers published using HTTPS
#2
Updated by Giovanni Manghi about 7 years ago
- Affected QGIS version changed from 2.18.5 to 2.18.6
#3
Updated by Giovanni Manghi about 7 years ago
I can't pinpoint when this exactly happened by my guess is still sometime along the 2.14.* releases. I had services based in qgis-server 2.14 that did the cascading of other wms/https services correctly.
#4
Updated by Giovanni Manghi almost 7 years ago
- Description updated (diff)
- Affected QGIS version changed from 2.18.6 to 2.18.7
#5
Updated by Giovanni Manghi almost 7 years ago
- Regression? set to Yes
#6
Updated by Giovanni Manghi almost 7 years ago
- Priority changed from Severe/Regression to High
#7
Updated by Giovanni Manghi almost 7 years ago
- Easy fix? set to No
#8
Updated by Alessandro Pasotti over 6 years ago
- Assignee set to Alessandro Pasotti
#9
Updated by Alessandro Pasotti over 6 years ago
What does exactly mean "stopped to cascade correctly"?
#10
Updated by Alessandro Pasotti over 6 years ago
- File bug_16462.qgs added
- Status changed from Open to Feedback
I could not reproduce this neither on master or in 2.18.x.
Please attach a project that shows the issue (see my test project attached: all layers in the project are cascaded WMS on https ).
#11
Updated by René-Luc ReLuc over 6 years ago
I have tested this URL https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer
The GetCapabilities it's OK but the GetLegendGraphic doesn't provide the same image.
#12
Updated by René-Luc ReLuc over 6 years ago
No issue with master, issue with 2.18
#13
Updated by Alessandro Pasotti over 6 years ago
Renè, do I understand right that the issue is only with the cascading GetLegendGraphic not being tranferred/copied/merged?
To be honest I've never used cascading WMS, but I'd be surprised if that was working: what would be the outcome when you ask a legend with multiple layers coming from cascading and not-cascading layers?
Do we have any logic to merge the QGIS-Server-generated image with the one coming from the cascading service?
Can you please attach a sample project and sample calls that are supposed to work and do not?
#14
Updated by René-Luc ReLuc over 6 years ago
Firstly, I can't use the project you provide.
For the Request MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities
I have the result:
<ServerException>Project file error</ServerException>
And this log:
fcgi query string: "MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities" src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] ******************** New request *************** src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REMOTE_ADDR: 127.0.0.1 src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] MAP:/tmp/bug_16462.qgs src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REQUEST:GetCapabilities src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] SERVICE:WMS src/server/qgsserver.cpp: 176: (configPath) [0ms] MAP:/tmp/bug_16462.qgs "Sent 1 blocks of 54 bytes" src/core/qgsmessagelog.cpp: 27: (logMessage) [5ms] 2017-11-30T12:45:02 Server[0] Request finished in 5 ms
I use this apache vhost:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
ServerName qgis-server.localhost
ServerAlias qgis-server.localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/qgis-server-error.log
CustomLog ${APACHE_LOG_DIR}/qgis-server-access.log combined
# Longer timeout for WPS... default = 40
FcgidIOTimeout 120
FcgidInitialEnv DISPLAY ":99"
FcgidInitialEnv LC_ALL "en_US.UTF-8"
FcgidInitialEnv PYTHONIOENCODING UTF-8
FcgidInitialEnv LANG "en_US.UTF-8"
#FcgidInitialEnv QGIS_LOG_FILE /tmp/qgis.log
#FcgidInitialEnv QGIS_DEBUG_FILE /tmp/qgis-debug.log
FcgidInitialEnv QGIS_DEBUG 1
FcgidInitialEnv QGIS_SERVER_LOG_FILE /tmp/qgis-server.log
FcgidInitialEnv QGIS_SERVER_LOG_LEVEL 0
#FcgidInitialEnv QGIS_PLUGINPATH "/home/dhont/.qgis2/python/plugins"
FcgidInitialEnv HOME "/tmp"
# ABP: needed for QGIS HelloServer plugin HTTP BASIC auth
<IfModule mod_fcgid.c>
RewriteEngine on
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +FollowSymLinks
Require all granted
#Allow from all
</Directory>
</VirtualHost>
I have build the server the 30th november 2017
#15
Updated by René-Luc ReLuc over 6 years ago
- File tirol_getmap_214.png added
- File tirol_getmap_master.png added
- File tirol_getmap_218.png added
- File tirol_getlegendgraphics_master.png added
So i have created a project with the layer Image_Aktuell_RGB from this WMS service https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer and a vector layer (SHP).
I have tested this project with:- QGIS 2.14
- QGIS 2.18
- QGIS master 30th november
I have tested 3 request: - GetCapabilities SERVICE=WMS&Request=GetCapabilities
- GetLegendGraphics SERVICE=WMS&VERSION=1.3.0&REQUEST=GetLegendGraphic&LAYER=Image_Aktuell_RGB&FORMAT=image/png&STYLE=default&SLD_VERSION=1.1.0
- GetMap LAYERS=Image_Aktuell_RGB&STYLES=default&CRS=EPSG%3A31254&FORMAT=image%2Fpng&TRANSPARENT=true&EXCEPTIONS=application%2Fvnd.ogc.se_inimage&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG%3A31254&BBOX=931.9853487034507,261926.27369830207,17957.956900646554,267151.80498269794&WIDTH=1287&HEIGHT=395
- for GetLegendGraphics, the image provided by all QGIS Server gives only the layer name
- for GetMap, 2.14 and master provides the image, 2.18 provides a blank image.
#16
Updated by Alessandro Pasotti over 6 years ago
- Assignee deleted (
Alessandro Pasotti) - Subject changed from QGIS Server lost the ability to cascade WMS layers published using HTTPS to QGIS Server returns a blank image with GetImage on a WMS Cascading layer
- Status changed from Feedback to Open
Thanks for your tests René, from the results we can conclude that:
- this ticket title must be changed to "QGIS Server returns a blank image with GetImage on a WMS Cascading layer"
- we should file a separate issue type "Feature request" for composing the the legend from the cascading server (which as I suspected it was never implemented and it is not a trivial task).
I'm focusing mainly on master at this time, so I'll pass this bug over because it does not affect master.
#17
Updated by Giovanni Manghi over 6 years ago
- Subject changed from QGIS Server returns a blank image with GetImage on a WMS Cascading layer to QGIS Server lost the ability to cascade WMS layers published using HTTPS
- Affected QGIS version changed from 2.18.7 to 2.18.15
I'm changing back the description to the original one after having chatted with Alessandro and having provided a clear example (which I cannot share here) that shows that the issue is cascading from a service which uses https (the same service/maps cascaded using http behave as expected).
#18
Updated by René-Luc ReLuc about 6 years ago
Does some one has any clue to fix it ?
#19
Updated by Giovanni Manghi about 6 years ago
- Affected QGIS version changed from 2.18.15 to 2.18.17
#20
Updated by René-Luc ReLuc about 6 years ago
I have tested the futur 2.18.18 and I can't reproduced the issue.
#21
Updated by René-Luc ReLuc about 6 years ago
I have found this error message:
Download of capabilities failed: SSL handshake failed
Is it possible to explicitly ignore SSL errors ?
The issue is also available for XYZ layers.
#22
Updated by Alessandro Pasotti about 6 years ago
maybe: it's possible but it must be done for each certificate verification failure by adding a custom SSL configuration to the authentication DB, this is what normally happens in QGIS desktop when you encounter such an error.
What happens normally is that when the connection fails due to an SSL error, a dialog pops up asking if you want to ignore the error and/or store the exception permanently (more or less what happens in a normal browser), if you ignore the exception permanently this information is stored in the authentication DB.
So: it is not currently possible from the server. Btw, I agree that it might be a useful implementation, even if you should normally be careful to accept insecure connections.
#23
Updated by Alessandro Pasotti about 6 years ago
- Duplicated by Bug report #17951: QGIS Server lost (most of the times) the ability to cascade WFS layers added
#24
Updated by Anne Blankert almost 6 years ago
I am having the same problem: SSL handshake failed (QGIS server 2.18.19, Ubuntu 16.04). Example WMS service https://geodata.nationaalgeoregister.nl/bag/ows
Other software on the Ubuntu machine running QGIS server is able to connect to the same remote HTTPS WMS server without problems. Also QGIS Desktop can connect to the HTTPS WMS server without problems.
Maybe QGIS server does not know where to look for CA-certificates? If QGIS server can't validate the HTTPS server certificate, it may abort with an SSL handshake error?
I tried to set in the Apache configuration:
FcgidInitialEnv REQUESTS_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt"
FcgidInitialEnv SSL_CERT_FILE "/etc/ssl/certs/ca-certificates.crt"
also tried:
FcgidInitialEnv SSL_CERT_DIR "/etc/ssl/certs"
restarted Apache, but same result:
SSL handshake failed
#25
Updated by René-Luc ReLuc almost 6 years ago
To fix this issue, you have to add HOME environmental variable to a directory in which the directory .qgis2 is writable for the user used by QGIS Server, with Apache2, it's www-data.
For exemple, do these commands:
mkdir /srv/qgis/.qgis2 chown www-data:www-data /srv/qgis/.qgis2 chmod 774 /srv/qgis/.qgis2
And add this in your apache virtual host:
FcgidInitialEnv HOME "/srv/qgis"
#26
Updated by Giovanni Manghi almost 6 years ago
- Status changed from Open to Closed
- Resolution set to duplicate
duplicate of #17951