Adding a WFS layer to Geo-referenced analysis

Question

Hi.

I would like to add a WFS layer to a Geo-reference analysis, but no matter wchich WFS I use I still get the same error message:

Error while attempt to load targetlayer

Impossible to load features from layer [Torino 1]. Check the file syntax

 Here are the steps I made:

1. CATALOGS/Layers/New layer (+ sign): Category=Default Layer Category; Label, Name, Layer description, Layer label, Layer name=Torino 1, Layer_id=Torino_1, Layer order=16, Base Layer checked, Layer Type=WFS, Uri=https://gisserver.territorio.csi.it/geoserver/decsiraogc_areeprotezione_pta/wfs
2. In Documents browser I created new Document of Map type and Gis Engine as Engine. From that place I opened designer, added previously created layer called Torino 1, clicked Save and when I clicked on EDIT MAP my layer didn't load and the error appeared. 

 

I receive this error with every WFS I try to upload, Torino 1 is just an example. If you are curious I took it from this site:

https://www.geoportale.piemonte.it/geonetwork/srv/ita/catalog.search#/search?facet.q=type%2Fservice-download&resultType=details&sortBy=title&sortOrder=reverse&fast=index&_content_type=json&from=1&to=20

Could you help me with this problem? I just need to know what I have to do to upload a WFS just like the one above to Geo-reference analysis. Do you face with similar error?

Comments

Hi dwysocki,

could you check for errors in the logs? I would look for errors in knowage.log and in knowageGeoReporEngine.log in the logs directory of Tomcat.

In the meantime I'm trying to replicate your case in our test environments.

---

Hi mlibanor,

Thanks for you attention. There isn't any record in knowage.log related to this issue. In knowageGeoReportEngine.log I received following message (trimmed to fit in one message):

01 cze 2022 09:01:10,526 ERROR it.eng.spagobi.engines.georeport.api.restfull.geoUtils.targetLayerAction:156 - Impossible to load features from layer [Torino 1]. Check the file syntax.

it.eng.spagobi.utilities.exceptions.SpagoBIRuntimeException: An unexpected error occured while executing service call [https://gisserver.territorio.csi.it/geoserver/decsiraogc_areeprotezione_pta/wfs?service=WFS&version=1.0.0&request=getCapabilities]

at it.eng.spagobi.georeport.dao.FeaturesProviderDAOWFSImpl.getAllFeatures(FeaturesProviderDAOWFSImpl.java:118)

at it.eng.spagobi.engines.georeport.api.restfull.geoUtils.targetLayerAction(geoUtils.java:149)

at it.eng.spagobi.engines.georeport.api.restfull.GeoResource.getTargetLayer(GeoResource.java:142)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)

at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)

[...]

at java.lang.Thread.run(Thread.java:748)

Caused by: it.eng.spagobi.utilities.exceptions.SpagoBIRuntimeException: An unexpected error occured while executing service call [https://gisserver.territorio.csi.it/geoserver/decsiraogc_areeprotezione_pta/wfs?service=WFS&version=1.0.0&request=getCapabilities]

at it.eng.spagobi.georeport.dao.FeaturesProviderDAOWFSImpl.getFeatures(FeaturesProviderDAOWFSImpl.java:159)

at it.eng.spagobi.georeport.dao.FeaturesProviderDAOWFSImpl.getAllFeatures(FeaturesProviderDAOWFSImpl.java:116)

... 66 more

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)

at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)

at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1484)

at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1482)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1481)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)

at it.eng.spagobi.georeport.dao.FeaturesProviderDAOWFSImpl.getFeatures(FeaturesProviderDAOWFSImpl.java:144)

... 67 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)

... 85 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

... 91 more

I also tried with GetFeature instead of GetCapabilities in WFS URI to select only one layer and the effect was the same. With other WFS layers sometimes I receive this in knowageGeoReportEngine.log:

Caused by: java.lang.RuntimeException: Unexpected character (<) at position 0.

Which is something confusing for me because all of this layers can be easily imported to programs like QGIS without any problems. 

Answer 1

This is a very interesting case.

The log is very clear but I have only one very technical answer for this: the SSL certificate of the WFS server doesn't match any CA (certification authority) certificate on your system.

I don't know much about your system but if it's Linux-based you could try to replicate the problem in a very simple way using a command line shell and the curl app. For example on our test environment I see:

$ curl https://gisserver.territorio.csi.it/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

That means that your system doens't know nothing about the CA which released the WFS server certificate. I think you need to install the CA certificate of the authority which verify the WFS server.

If you use a browser you can navigate to: https://gisserver.territorio.csi.it/

In Chrome, for example, at the beginning of the address bar, you could see a lock icon, clicking on that you can see the WFS certificate: the signer is Actalis (https://www.actalis.com/it/home.aspx); I think on its site you can find the CA certificate to install on your system, that will solve your problem.

As a workaround you could probably install the SSL certificate of the WFS server directly but in that case you need to look for the specific instruction of your system.

Comments

Thanks, I will definitely check this out.

Could you please help me with another problem related to WFS layers? Cause as I have written earlier I am not able to add any WFS layer to my Geo-reference analysis. Do you know about any publicly available WFS that has been tested by you or your team and can be loaded to a Geo-reference analysis without any problems? I just need an example and I would like to study its structure and compare it to WFS with which I am struggling.