Bug report #16462

QGIS Server lost the ability to cascade WMS layers published using HTTPS

Added by Giovanni Manghi over 2 years ago. Updated over 1 year ago.

Status:Closed
Priority:High
Assignee:-
Category:QGIS Server
Affected QGIS version:2.18.17 Regression?:Yes
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:duplicate
Crashes QGIS or corrupts data:No Copied to github as #:24371

Description

At some point (likely in qgis 2.14 point release) QGIS projects containing an external WMS layer (possibly affected also WFS) published using HTTPS stopped to cascade correctly that layers when publishing the project with QGIS Server.

I tested the bug using the latest available versions of QGIS server 2.14 and 2.18, while using a QGIS Server 2.8.8 instance it works ok.

bug_16462.qgs (23.6 KB) Alessandro Pasotti, 2017-11-28 02:47 PM

tirol_getlegendgraphics_master.png (77.3 KB) René-Luc ReLuc, 2017-11-30 01:01 PM

tirol_getmap_218.png (2.04 KB) René-Luc ReLuc, 2017-11-30 01:01 PM

tirol_getmap_214.png (760 KB) René-Luc ReLuc, 2017-11-30 01:01 PM

tirol_getmap_master.png (1.94 MB) René-Luc ReLuc, 2017-11-30 01:01 PM


Related issues

Duplicated by QGIS Application - Bug report #17951: QGIS Server lost (most of the times) the ability to casc... Closed 2018-01-24

History

#1 Updated by Giovanni Manghi over 2 years ago

  • Subject changed from QGIS Server lost the hability to cascade WMS layers published using HTTPS to QGIS Server lost the ability to cascade WMS layers published using HTTPS

#2 Updated by Giovanni Manghi over 2 years ago

  • Affected QGIS version changed from 2.18.5 to 2.18.6

#3 Updated by Giovanni Manghi over 2 years ago

I can't pinpoint when this exactly happened by my guess is still sometime along the 2.14.* releases. I had services based in qgis-server 2.14 that did the cascading of other wms/https services correctly.

#4 Updated by Giovanni Manghi over 2 years ago

  • Description updated (diff)
  • Affected QGIS version changed from 2.18.6 to 2.18.7

#5 Updated by Giovanni Manghi over 2 years ago

  • Regression? set to Yes

#6 Updated by Giovanni Manghi over 2 years ago

  • Priority changed from Severe/Regression to High

#7 Updated by Giovanni Manghi over 2 years ago

  • Easy fix? set to No

#8 Updated by Alessandro Pasotti almost 2 years ago

  • Assignee set to Alessandro Pasotti

#9 Updated by Alessandro Pasotti almost 2 years ago

What does exactly mean "stopped to cascade correctly"?

#10 Updated by Alessandro Pasotti almost 2 years ago

I could not reproduce this neither on master or in 2.18.x.

Please attach a project that shows the issue (see my test project attached: all layers in the project are cascaded WMS on https ).

#11 Updated by René-Luc ReLuc almost 2 years ago

I have tested this URL https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer
The GetCapabilities it's OK but the GetLegendGraphic doesn't provide the same image.

#12 Updated by René-Luc ReLuc almost 2 years ago

No issue with master, issue with 2.18

#13 Updated by Alessandro Pasotti almost 2 years ago

Renè, do I understand right that the issue is only with the cascading GetLegendGraphic not being tranferred/copied/merged?
To be honest I've never used cascading WMS, but I'd be surprised if that was working: what would be the outcome when you ask a legend with multiple layers coming from cascading and not-cascading layers?
Do we have any logic to merge the QGIS-Server-generated image with the one coming from the cascading service?

Can you please attach a sample project and sample calls that are supposed to work and do not?

#14 Updated by René-Luc ReLuc almost 2 years ago

Firstly, I can't use the project you provide.

For the Request MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities
I have the result:

<ServerException>Project file error</ServerException>

And this log:

fcgi query string:  "MAP=/tmp/bug_16462.qgs&SERVICE=WMS&REQUEST=GetCapabilities" 
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] ******************** New request ***************
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REMOTE_ADDR: 127.0.0.1
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] MAP:/tmp/bug_16462.qgs
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] REQUEST:GetCapabilities
src/core/qgsmessagelog.cpp: 27: (logMessage) [0ms] 2017-11-30T12:45:02 Server[0] SERVICE:WMS
src/server/qgsserver.cpp: 176: (configPath) [0ms] MAP:/tmp/bug_16462.qgs
"Sent 1 blocks of 54 bytes" 
src/core/qgsmessagelog.cpp: 27: (logMessage) [5ms] 2017-11-30T12:45:02 Server[0] Request finished in 5 ms

I use this apache vhost:

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin [email protected]
        ServerName qgis-server.localhost
        ServerAlias qgis-server.localhost
    DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/qgis-server-error.log
        CustomLog ${APACHE_LOG_DIR}/qgis-server-access.log combined

        # Longer timeout for WPS... default = 40
        FcgidIOTimeout 120 
    FcgidInitialEnv DISPLAY ":99" 
        FcgidInitialEnv LC_ALL "en_US.UTF-8" 
        FcgidInitialEnv PYTHONIOENCODING UTF-8
        FcgidInitialEnv LANG "en_US.UTF-8" 
        #FcgidInitialEnv QGIS_LOG_FILE /tmp/qgis.log
        #FcgidInitialEnv QGIS_DEBUG_FILE /tmp/qgis-debug.log
        FcgidInitialEnv QGIS_DEBUG 1
        FcgidInitialEnv QGIS_SERVER_LOG_FILE /tmp/qgis-server.log
        FcgidInitialEnv QGIS_SERVER_LOG_LEVEL 0
        #FcgidInitialEnv QGIS_PLUGINPATH "/home/dhont/.qgis2/python/plugins" 
        FcgidInitialEnv HOME "/tmp" 

        # ABP: needed for QGIS HelloServer plugin HTTP BASIC auth
        <IfModule mod_fcgid.c>
            RewriteEngine on
            RewriteCond %{HTTP:Authorization} .
            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        </IfModule>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
            AllowOverride All
            Options +ExecCGI -MultiViews +FollowSymLinks
            Require all granted
            #Allow from all
        </Directory>

</VirtualHost>

I have build the server the 30th november 2017

#15 Updated by René-Luc ReLuc almost 2 years ago

So i have created a project with the layer Image_Aktuell_RGB from this WMS service https://gis.tirol.gv.at/arcgis/services/Service_Public/orthofoto/MapServer/WMSServer and a vector layer (SHP).

I have tested this project with:
  • QGIS 2.14
  • QGIS 2.18
  • QGIS master 30th november
    I have tested 3 request:
  • GetCapabilities SERVICE=WMS&Request=GetCapabilities
  • GetLegendGraphics SERVICE=WMS&VERSION=1.3.0&REQUEST=GetLegendGraphic&LAYER=Image_Aktuell_RGB&FORMAT=image/png&STYLE=default&SLD_VERSION=1.1.0
I can't really help more, I have lost the logs files.
  • GetMap LAYERS=Image_Aktuell_RGB&STYLES=default&CRS=EPSG%3A31254&FORMAT=image%2Fpng&TRANSPARENT=true&EXCEPTIONS=application%2Fvnd.ogc.se_inimage&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&SRS=EPSG%3A31254&BBOX=931.9853487034507,261926.27369830207,17957.956900646554,267151.80498269794&WIDTH=1287&HEIGHT=395
The result is :
  • for GetLegendGraphics, the image provided by all QGIS Server gives only the layer name
  • for GetMap, 2.14 and master provides the image, 2.18 provides a blank image.

#16 Updated by Alessandro Pasotti almost 2 years ago

  • Assignee deleted (Alessandro Pasotti)
  • Subject changed from QGIS Server lost the ability to cascade WMS layers published using HTTPS to QGIS Server returns a blank image with GetImage on a WMS Cascading layer
  • Status changed from Feedback to Open

Thanks for your tests René, from the results we can conclude that:
- this ticket title must be changed to "QGIS Server returns a blank image with GetImage on a WMS Cascading layer"
- we should file a separate issue type "Feature request" for composing the the legend from the cascading server (which as I suspected it was never implemented and it is not a trivial task).

I'm focusing mainly on master at this time, so I'll pass this bug over because it does not affect master.

#17 Updated by Giovanni Manghi over 1 year ago

  • Subject changed from QGIS Server returns a blank image with GetImage on a WMS Cascading layer to QGIS Server lost the ability to cascade WMS layers published using HTTPS
  • Affected QGIS version changed from 2.18.7 to 2.18.15

I'm changing back the description to the original one after having chatted with Alessandro and having provided a clear example (which I cannot share here) that shows that the issue is cascading from a service which uses https (the same service/maps cascaded using http behave as expected).

#18 Updated by René-Luc ReLuc over 1 year ago

Does some one has any clue to fix it ?

#19 Updated by Giovanni Manghi over 1 year ago

  • Affected QGIS version changed from 2.18.15 to 2.18.17

#20 Updated by René-Luc ReLuc over 1 year ago

I have tested the futur 2.18.18 and I can't reproduced the issue.

#21 Updated by René-Luc ReLuc over 1 year ago

I have found this error message:

Download of capabilities failed: SSL handshake failed

Is it possible to explicitly ignore SSL errors ?

The issue is also available for XYZ layers.

#22 Updated by Alessandro Pasotti over 1 year ago

maybe: it's possible but it must be done for each certificate verification failure by adding a custom SSL configuration to the authentication DB, this is what normally happens in QGIS desktop when you encounter such an error.

What happens normally is that when the connection fails due to an SSL error, a dialog pops up asking if you want to ignore the error and/or store the exception permanently (more or less what happens in a normal browser), if you ignore the exception permanently this information is stored in the authentication DB.

So: it is not currently possible from the server. Btw, I agree that it might be a useful implementation, even if you should normally be careful to accept insecure connections.

#23 Updated by Alessandro Pasotti over 1 year ago

  • Duplicated by Bug report #17951: QGIS Server lost (most of the times) the ability to cascade WFS layers added

#24 Updated by Anne Blankert over 1 year ago

I am having the same problem: SSL handshake failed (QGIS server 2.18.19, Ubuntu 16.04). Example WMS service https://geodata.nationaalgeoregister.nl/bag/ows

Other software on the Ubuntu machine running QGIS server is able to connect to the same remote HTTPS WMS server without problems. Also QGIS Desktop can connect to the HTTPS WMS server without problems.

Maybe QGIS server does not know where to look for CA-certificates? If QGIS server can't validate the HTTPS server certificate, it may abort with an SSL handshake error?

I tried to set in the Apache configuration:
FcgidInitialEnv REQUESTS_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt"
FcgidInitialEnv SSL_CERT_FILE "/etc/ssl/certs/ca-certificates.crt"
also tried:
FcgidInitialEnv SSL_CERT_DIR "/etc/ssl/certs"

restarted Apache, but same result:
SSL handshake failed

#25 Updated by René-Luc ReLuc over 1 year ago

To fix this issue, you have to add HOME environmental variable to a directory in which the directory .qgis2 is writable for the user used by QGIS Server, with Apache2, it's www-data.

For exemple, do these commands:

mkdir /srv/qgis/.qgis2
chown www-data:www-data /srv/qgis/.qgis2
chmod 774 /srv/qgis/.qgis2

And add this in your apache virtual host:

FcgidInitialEnv HOME "/srv/qgis" 

#26 Updated by Giovanni Manghi over 1 year ago

  • Status changed from Open to Closed
  • Resolution set to duplicate

duplicate of #17951

Also available in: Atom PDF