*The easiest and best is usually to get a certificate from one of the
renowned suppliers generally included in the trust store of big browsers
and operating systems.*
Check out https://letsencrypt.org/ which provides certificates for free.
If it is possible to expose the http-port (tcp/80) of your server to the
internet, that is an easy way to start using Let's Encrypt - and if
necessary they also provides other ways to identify ownership of hostnames,
e.g. by providing DNS-records.
If you really would like to make your own test certificates, you could
check out https://github.com/OpenVPN/easy-rsa
The certificates are regular SSL/TLS-certificates, and can be used for any
protocol encrypted with TLS.
Read through
https://github.com/OpenVPN/easy-rsa/blob/master/doc/Intro-To-PKI.md which
is an introduction to public key infrastructure.
Your users must also understand the risk of giving you super powers:
Certificate Authorities (CA) are trusted entities in your operating
system/browser, and could issue certificates for any hostname. If they
trust your CA, you could in theory make certificates for any existing (or
non-existing domain name) and make their browser/application trust that
site as you provide a valid certificate issued by one of their trusted CAs.
Operating a CA also requires understanding of the trust model and to keep
track of the different certificate expiry dates within the certificate
chain from your root certificate and down to the service certificate.
Again, if possible - always use certificates from official providers.
Rolling your own CA is a big responsibility, and not for the faint of heart
--
Best Regards,
Christian Skarby
MET Norway
fre. 12. juli 2024 kl. 00:04 skrev Jim Fluke <james.fluke@xxxxxxxxxxxxx>:
> Pols,
>
> Well, by actually reading the rest of the instructions in the TDS
> documentation
> <https://docs.unidata.ucar.edu/tds/current/userguide/enable_tls_encryption.html>
> I was able to set the certificateKeystorePassword, which fixed this
> problem. At least for website access if I push though the self-signed
> certificate warnings.
>
> But, pydap is failing due to the self-signed certificate and I haven't
> found a way around it yet:
> ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
> verify failed: self-signed certificate (_ssl.c:1000)
>
> If anyone knows a way around that please let me know.
>
> Thanks,
> Jim
>
> On 7/11/24 11:47, Jim Fluke wrote:
>
> Pols,
>
> I created a self-signed certificate since it's just for testing right now .
> So far I can't get it to work though. Here are the errors I get at TDS
> start up:
> 10-Jul-2024 15:26:16.372 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector["https-openssl-nio-8443"]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> .
> .
> .
> Caused by: java.lang.IllegalArgumentException: Keystore was
> tampered with, or password was incorrect
> .
> .
> .
> Caused by: java.security.UnrecoverableKeyException: Password
> verification failed
>
> And, I am still using 8443. Also because this is a test environment.
>
> Do you have any idea where I can change the password. If that really is
> the problem.
>
> Thanks,
> Jim
>
> On 7/10/24 01:33, Pols, Maarten wrote:
>
> *** Caution: EXTERNAL Sender ***
>
> Dear Jim,
>
>
>
> I think you are right, first setup a SSL certificate, I’m also using the
> thredds docker image, together with a nginx proxy server.
>
>
>
> *M.J. (Maarten) Pols*
> *Producten en services*
> *Systeem- en applicatiebeheerder*
>
>
>
> Botter 11-29, 8232 JN Lelystad (tevens postadres)
> Berkenweg 7, Amersfoort | Informaticalaan 8, Delft
>
> Telefoon 0320 294292
> Internet *www.hkv.nl <http://www.hkv.nl/>*
>
>
>
> HKV, de kennisondernemer voor water en veiligheid
>
> *Van:* Jim Fluke <james.fluke@xxxxxxxxxxxxx> <james.fluke@xxxxxxxxxxxxx>
> *Verzonden:* Tuesday, 9 July 2024 19:45
> *Aan:* Pols, Maarten <M.Pols@xxxxxx> <M.Pols@xxxxxx>;
> thredds@xxxxxxxxxxxxxxxx
> *Onderwerp:* Re: [thredds] Authentication problems with the TDS and pydap
>
>
>
> ## Let op: deze mail is afkomstig van een externe afzender. Meer
> informatie over waarom dit belangrijk is
> <https://aka.ms/LearnAboutSenderIdentification>
>
>
>
> Pols,
>
> Thank you for your response!
>
> But, it still does not work. I think I probably need this, or something
> like it, but it's not enough.
>
> Now the web browser authentication fails with this message:
> Secure Connection Failed
>
> An error occurred during a connection to localhost. PR_END_OF_FILE_ERROR
>
> Error code: PR_END_OF_FILE_ERROR
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
> Please contact the website owners to inform them of this problem.
>
> And the pydap authentication fails with this message:
> ssl.SSLEOFError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in
> violation of protocol (_ssl.c:1000)
>
> Which seems to indicate that I need to add an SSL certificate, which I
> have not done. Again, I am using the thredds-docker image, which does not
> have a certificate by default. And the port forwarding that it does might
> be an issue as well.
>
> I'll try the certificate, but other suggestions would be very welcome.
>
> Jim
>
> On 7/9/24 00:35, Pols, Maarten wrote:
>
> *** Caution: EXTERNAL Sender ***
>
> Dear Jim,
>
>
>
> This problem cost me months to cover. It was working in previous versions
> of thredds but after een upgrade it broke my python scripts.
>
> First of all, don’t upgrade to the latest numpy packages, it will break
> pydap, latest working version is 1.26.x
>
>
>
> Than to solve this issue, you need to change applicationContext.xml file,
> this file is in webapps -> thredds -> WEB-INF
>
> You need to change line 112 and 113:
>
>
>
> * <bean id="restrictedDatasetAuthorizer"
> class="thredds.servlet.restrict.TomcatAuthorizer">*
>
> * <property name="useSSL" value="false"/>*
>
> * <property name="sslPort" value="8443"/>*
>
> * </bean>*
>
>
>
> Into
>
>
>
> * <bean id="restrictedDatasetAuthorizer"
> class="thredds.servlet.restrict.TomcatAuthorizer">*
>
> * <property name="useSSL" value="true"/>*
>
> * <property name="sslPort" value="443"/>*
>
> * </bean>*
>
>
>
> This was solving the issue in my case, and I hope it will help you.
>
>
>
>
>
> *M.J. (Maarten) Pols Products and Services System and application
> administrator *
>
>
>
> Botter 11-29, 8232 JN Lelystad, The Netherlands (also postal address)
> Berkenweg 7, Amersfoort | Informaticalaan 8, Delft
>
> Telephone +31 (0)320 294292
> Internet *www.hkv.nl/en/ <http://www.hkv.nl/en/>*
>
>
>
> HKV, knowledge entrepreneurs in flood risk and water resources management
>
> *Van:* thredds <thredds-bounces@xxxxxxxxxxxxxxxx>
> <thredds-bounces@xxxxxxxxxxxxxxxx> *Namens *Jim Fluke
> *Verzonden:* Tuesday, 9 July 2024 00:04
> *Aan:* thredds@xxxxxxxxxxxxxxxx
> *Onderwerp:* [thredds] Authentication problems with the TDS and pydap
>
>
>
> ## Let op: deze mail is afkomstig van een externe afzender. Meer
> informatie over waarom dit belangrijk is
> <https://aka.ms/LearnAboutSenderIdentification>
>
>
>
>
> Hello,
>
> I'm now trying to get user authentication working with our thredds-docker
> based TDS. I'm pretty sure I have the configuration set up to enable
> authentication as described in the TDS manual's "Restrict Access To The
> TDS
> <https://docs.unidata.ucar.edu/tds/current/userguide/restict_access_to_tds.html#restrict-access-by-dataset-in-tds-catalogs>"
> page. And I have verified this by accessing the TDS from a browser and
> having the credentials entry pop-up window display and work correctly.
>
> But, I can't get the authentication to work in Python with pydap.
> According to the pydap documentation the credentials should be added to the
> URL this way:
>
> >>> from pydap.client import open_url
> >>> dataset = open_url('
> http://username:password@xxxxxxxxxxxxxxxxxx/path/to/dataset')
>
> But because Digested Passwords
> <https://docs.unidata.ucar.edu/tds/current/userguide/digested_passwords.html>
> are enabled for our TDS, it seems clear that I should use the digested
> password, so this is what I tried:
>
> >>> from pydap.client import open_url
> >>> dataset = open_url('
> http://fluke:d1ef3ce7e7c41de74192a362524ad0a460692a222d9dd796ee383b56e446d749
> $1$d03ce0f88475505a68bd0eb37fa570df8120e59ccf62a4f580a55ad612f695c0e385893fe7205f7c181b221ab49bc817d4a33a2b
>
> 2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf
> ')
>
> But it does not work. Here is the output:
>
> @ ~/devRepos/thredds-dpc-gh-actual/tests$ docker-compose run --rm
> test_opendap
> url:
> http://fluke:d1ef3ce7e7c41de74192a362524ad0a460692a222d9dd796ee383b56e446d749$1$d03ce0f88475505a68bd0eb37fa570df8120e59ccf62a4f580a55ad612f695c0e385893fe7205f7c181b221ab49bc817d4a33a2b
>
> 2bb727fdc0ee3420e7e5b99e@localhost:7000/thredds/dodsC/cloudsat-data/2B-GEOPROF.P1_R05/2008/366/2008366031107_14239_CS_2B-GEOPROF_GRANULE_P1_R05_E02_F00.hdf
>
> Traceback (most recent call last):
> File "/app/opendap_pydap.py", line 8, in <module>
> dataset = open_url(url)
> ^^^^^^^^^^^^^
> File "/opt/conda/lib/python3.12/site-packages/pydap/client.py", line 68,
> in open_url
> handler = pydap.handlers.dap.DAPHandler(url, application, session,
> output_grid,
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> File "/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py",
> line 71, in __init__
> self.make_dataset()
> File "/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py",
> line 96, in make_dataset
> self.dataset_from_dap2()
> File "/opt/conda/lib/python3.12/site-packages/pydap/handlers/dap.py",
> line 109, in dataset_from_dap2
> pydap.net.raise_for_status(r)
> File "/opt/conda/lib/python3.12/site-packages/pydap/net.py", line 38, in
> raise_for_status
> raise HTTPError(
> webob.exc.HTTPError: 401 Unauthorized
> <!doctype html><html lang="en"><head><title>HTTP Status 401 –
> Unauthorized</title><style type="text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-co
> lor:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3
> {font-size:14px;} p {font-size:12px;} a {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}</style></head><bod
> y><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b>
> Status Report</p><p><b>Description</b> The request has not been applied to
> the target resource because it lacks va
> lid authentication credentials for that resource.</p><hr class="line"
> /><h3>Apache Tomcat</h3></body></html>
>
> So, am I right to be using the digested password? Do you see anything else
> that could be wrong? Why does this work for the browser but not for pydap?
>
> I will add that the algorithm for the CredentialHandler is "sha-*512*" in
> the ~tomcat/conf/server.xml file inside the container, so that is why the
> digested password is an sha512 digest. And the clear text password is
> "flukeTmp". I'll be changing that for our production system.
>
> And, all of this - the TDS configuration and the test python script with
> the above URL - are now checked in to our thredds-dpc
> <https://github.com/JimFluke/thredds-dpc/tree/master> repository on
> GitHub so you can look at the details there.
>
> Any help would be greatly appreciated.
>
> Thanks,
> Jim
>
>
>
>
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web. Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> https://www.unidata.ucar.edu/mailing_lists/
>
