Skip to main content
  • EN

Hello all,

At a client I often fail to connect to their ESRI Portal, due to failing to verify SSL (see loggin below) on both FME Server and desktop.

Proxy settings in FME don't change the behaviour (always uses proxy). The Chrome browser thinks the certificate is o.k.

 

I can't disable ssl-verification in the Portal Reader, as suggested in the log, like it is possible to do in the HTTPCaller.. (see my idea for that).

 

Inspired by this reported problem I exported the certificate from Chrome, and imported it in $FME_HOME\jre\lib\security\cacerts on desktop.. (analogue to these instructions for server, section .pfx certificate, as the problematic server has a .pfx certificate).

This did not resolve the problem...

Does anyone have any suggestions???

 

Kind regards,

Martin

ArcGIS Portal Feature Service Reader: Using proxy http://proxy.####.intern:8080/
ArcGIS Portal Feature Service Reader: Using authentication type 'NTLM'
ArcGIS Portal Feature Service Reader: Logging into 'https://geoportaal.####.intern/portal/' as user '####\####'
ArcGIS Portal Feature Service Reader: Using proxy http://proxy.####.intern:8080/
ArcGIS Portal Feature Service Reader: SSL certificate verification failed for host 'geoportaal.####.intern'. HTTPS connections may not be secure. Disabling verification of SSL certificates. Message: HTTPSConnectionPool(host='geoportaal.####.intern', port=443): Max retries exceeded with url: /portal/sharing/rest/generateToken (Caused by SSLError(SSLCertVerificationError(1, 'PSSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
ArcGIS Portal Feature Service Reader: The server at 'https://geoportaal.####.intern/portal/sharing/rest/generateToken' does not appear to be an ArcGIS Portal instance. Verify that the host is a valid ArcGIS Portal

 

 

Hi @martinkoch,

I ran into a similar problem. Our HTTPCaller crashed with the message that a certificate was not valid ('SSL peer certificate or SSH remote key was not OK'). Strangely enough, a FeatureReader, which read the same URL via https, delivered the data without further due.

The HTTPCaller has an option to skip the certificate check. From a security perspective, ignoring certificates is not desirable, although it can still be useful in practice.

In that case, one would expect a similar option on the FeatureReader, which also retrieves data via https. I checked that, but it is missing (also in FME2024). That is not very consistent. @david_r ?

PS The link to your idea about the verify option is broken...

@martinkoch 

If the PortalReader is Python based (it is)… we could alternatively try the Certifi’s cacerts.pem file.
My understanding is that Safe created Formats and Transformers based on Python will typically use the system trust store.  So have you imported the certificate into the systems’s trusted root certificates?

If you have, and it still fails with the same error, lets try the python cerfifi pem location. I wouldn’t expect this to be the case… but it is worth a shot.  

C:\Program Files\FME\python\certifi\cacert.pem

For the record some python based transformers do make use of Certifi… and this is not well known.  There is work in progress to make this all better.
NOTE: Java JRE cacerts file won’t work in this case… but if you were using a JDBC format that’s where you’d go.

Hi @steveatsafe we have a similar issue here with the Portal Reader. Our Portal is on premise (intranet) so is using a domain controlled RootCA and I’m guessing the issue is that cacert.pem only holds public rootca. How can we get the Portal reader to trust our intranet domain rootca? Issue on 2024.1. Am I correct that the Portal reader is looking at cacerts.pem and not the certs on the OS of our server?

Reply


Community Stats

30,147
Posts
114,428
Replies
37,789
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.