-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot get schema from https://schemas.wmo.int/iwxxm/3.0/iwxxm.xsd #216
Comments
@mgoberfield, do you need a solution? or is this additional info for community? |
Hello Dmitry,
Thank you for your kindly offered assistance, but no, I just wanted to
provide more details to the problem.
V/R,
mark
…On Wed, Apr 15, 2020 at 9:58 AM Dmitry Moryakov ***@***.***> wrote:
@mgoberfield <https://github.com/mgoberfield>, do you need a solution? or
this is additional info for community?
I can try to provide you with a solution using keytool.
It seems to me that ssl-chain should be added to trusted store for java on
your local machine.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#216 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB35ETI6FDVGJMVX5S2ELX3RMW4O7ANCNFSM4MFPZQ5Q>
.
|
I would also like to invite @amilan17 to take a look at this issue. It seems that OxygenXML has problem accessing schemas.wmo.int through HTTPS as it cannot complete verification of the certificate chain (see Mark O's post). Not a big deal at the moment but as we move on to more extensive use of secure sites this could become a significant problem. |
I am copying a related discussion in Google group for information: Hi Luc, When I Google the error message "White spaces are required between publicId and systemI" I found hints that may be causing the problem: openpreserve/jhove#227 (comment) In fact, when I try to access the AIXM_WX XSD, the web server did show similar response:
So it seems to me that SAX is not able to follow the redirected link (from HTTP to HTTPS) to get the XSD as indicated in the post. Looking at what had been mentioned in https://stackoverflow.com/questions/1884230/httpurlconnection-doesnt-follow-redirect-from-http-to-https when we publish XSDs on web servers we should make one set for HTTP and anthor one for HTTPS, without using re-direction. I think this also relates to issue #216 at #216 Regards, On Sat, Apr 10, 2021 at 1:26 AM Luc Pelletier lucgapel@gmail.com wrote:
|
with XML Spy I can load and validate https://schemas.wmo.int/iwxxm/3.0/examples/sigmet-A6-1b-CNL.xml both when loaded using http and https schema. What is more, I was able to validate both files no matter whether I used the https or http schema to load the https://schemas.wmo.int/iwxxm/3.0/iwxxm.xsd from the WMO server (schemaLocation). The WMO webserver providing the schemas does not do any redirect from http to https. There may be internal inconsistencies in using http and https in absolute links between the schema files on the level of the XSD. I believe this issue has something todo with OxygenXML. If you have bought the software, could you perhaps ask the support? |
Thanks @kurt-hectic I confirm I can also download from https://schemas.wmo.int with XMLSpy. Checking again the discussions on Internet, it seems to me that it is a general problem for Java applications like OxygenXML and CRUX; all these Java applications are using the default Java CA Cert keystore which does not have many CA Certs there. Interestingly, Atlassian has a detailed description of the issue here and solution here. It mentioned the use of a program Portecle to get CA Certs from web sites involved and add to the local Java CA Cert keystore. I use it to change my keystore located at C:\Program Files\Oxygen XML Developer 17\jre\lib\security\cacerts (password: changeit). By introducing the cert of the root CA to the keystore (remember to change the file permission of cacerts so that you can save; you will also need to restart your application since the keystore will only be read once during startup): I have no problem using OxygenXML to read files on https://schemas.wmo.int. I haven't try this with CRUX, but am quite confident the same arrangement should fix the issue. I also noticed that the certificate for schemas.wmo.int has changed recently, and it was issued by a new CA. This means that for Java applications in order to use SSL to access schemas.wmo.int they will need to beware of possible missing CA cert, which from my personal opinion is not attractive enough to persuade people to move from HTTP to HTTPS. Just my two cents. May be @efucile or @amilan17 can shed some light on the necessity (e.g. policy) to move from HTTP to more secure HTTPS (in terms of authenticity, not information leakage, I believe) in accessing WMO materials? |
Next steps
|
@wmo-im/tt-avdata is this still a problem or can we close the issue? |
This was raised in PR #215. It was noticed that oXygenXML Editor can only successfully get the schema when it was configured to ignore invalid certificate (see #215 (comment)).
However, I have no problem accessing iwxxm.xsd over HTTPS with my FireFox browser, and the lock icon said it was verified by GoDaddy.com:
I have no idea what had happened. May be WMO IT guys could give us some clue?
The text was updated successfully, but these errors were encountered: