You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Sergiy Tkachuk <se...@gmail.com> on 2013/08/25 23:30:02 UTC

Can't not confirm untrusted certificate

Hello,

I am using TortoiseSVN 1.8.1, Build 24570 - 32 Bit , 2013/07/22 
18:28:29, Subversion 1.8.1, -release, apr 1.4.8, apr-util 1.5.2, serf 
1.3.0, OpenSSL 1.0.1e 11 Feb 2013, zlib 1.2.8

I created batch file and want to call it from Jenkins CI.

The command line follows:
svn update --trust-server-cert --non-interactive --username UserName 
--password Password FolderName

If I run it from cmd.exe it is ok.

But if I run it from Jankins, it fails with error:

svn: E230001: Unable to connect to a repository at URL 'https://server/path  <https://www.aim-inc-usa.net:8086/svn/dev/ExactWire/trunk/samples/SandboxCi>'
svn: E230001: Server SSL certificate untrusted

I found similar question at SO 
http://stackoverflow.com/questions/17177405/svn-server-ssl-certificate-untrusted-from-post-commit-hook 
, but there is no answer for it.

How can I fix the issue?

Thanks in advance,

-- 
Best wishes,
Sergiy Tkachuk

Re: Can't not confirm untrusted certificate

Posted by Sergiy Tkachuk <se...@gmail.com>.

On 26.08.2013 11:55, Ivan Zhakov wrote:
> On Mon, Aug 26, 2013 at 1:41 AM, Stefan Sperling <st...@elego.de> wrote:
>> On Mon, Aug 26, 2013 at 12:30:02AM +0300, Sergiy Tkachuk wrote:
>>> Hello,
>>>
>>> I am using TortoiseSVN 1.8.1, Build 24570 - 32 Bit , 2013/07/22
>>> 18:28:29, Subversion 1.8.1, -release, apr 1.4.8, apr-util 1.5.2,
>>> serf 1.3.0, OpenSSL 1.0.1e 11 Feb 2013, zlib 1.2.8
>>>
>>> I created batch file and want to call it from Jenkins CI.
>>>
>>> The command line follows:
>>> svn update --trust-server-cert --non-interactive --username UserName
>>> --password Password FolderName
>>>
>>> If I run it from cmd.exe it is ok.
>>>
>>> But if I run it from Jankins, it fails with error:
>>>
>>> svn: E230001: Unable to connect to a repository at URL 'https://server/path  <https://www.aim-inc-usa.net:8086/svn/dev/ExactWire/trunk/samples/SandboxCi>'
>>> svn: E230001: Server SSL certificate untrusted
>>>
>>> I found similar question at SO http://stackoverflow.com/questions/17177405/svn-server-ssl-certificate-untrusted-from-post-commit-hook
>>> , but there is no answer for it.
>>>
>>> How can I fix the issue?
>>>
>>> Thanks in advance,
>>>
>>> --
>>> Best wishes,
>>> Sergiy Tkachuk
>>>
>> The --trust-server-cert option only overrides errors where the hostname
>> does not match the CN given in the certificate. It does not override
>> other error cases, such as expired certificates. Unfortunately,
>> there is currently no way to ignore other error conditions.
>>
> There is a bug in Subversion 1.8.0-1.8.1 that hostname check is
> case-sensitive, while it should be case-insensitive. Subversion
> canonicalize request hostname to lowercase so you get CN mistmatch if
> you have uppercase letters in your server certificate. This problem
> should be fixed in upcoming Subversion 1.8.3:
> * ra_serf: ignore case when checking certificate common names (r1514763)
>
> Is it your case?
>

Hello,

I have managed to fix the issue.

The issue was because of CN mismatch to server name.
Finally certificate with correct CN re-issued, nothing else helped.

I described more details at http://stackoverflow.com/a/18461594/13441

Thanks,
Sergiy

Re: Can't not confirm untrusted certificate

Posted by Ivan Zhakov <iv...@visualsvn.com>.

On Mon, Aug 26, 2013 at 1:41 AM, Stefan Sperling <st...@elego.de> wrote:
> On Mon, Aug 26, 2013 at 12:30:02AM +0300, Sergiy Tkachuk wrote:
>> Hello,
>>
>> I am using TortoiseSVN 1.8.1, Build 24570 - 32 Bit , 2013/07/22
>> 18:28:29, Subversion 1.8.1, -release, apr 1.4.8, apr-util 1.5.2,
>> serf 1.3.0, OpenSSL 1.0.1e 11 Feb 2013, zlib 1.2.8
>>
>> I created batch file and want to call it from Jenkins CI.
>>
>> The command line follows:
>> svn update --trust-server-cert --non-interactive --username UserName
>> --password Password FolderName
>>
>> If I run it from cmd.exe it is ok.
>>
>> But if I run it from Jankins, it fails with error:
>>
>> svn: E230001: Unable to connect to a repository at URL 'https://server/path  <https://www.aim-inc-usa.net:8086/svn/dev/ExactWire/trunk/samples/SandboxCi>'
>> svn: E230001: Server SSL certificate untrusted
>>
>> I found similar question at SO http://stackoverflow.com/questions/17177405/svn-server-ssl-certificate-untrusted-from-post-commit-hook
>> , but there is no answer for it.
>>
>> How can I fix the issue?
>>
>> Thanks in advance,
>>
>> --
>> Best wishes,
>> Sergiy Tkachuk
>>
>
> The --trust-server-cert option only overrides errors where the hostname
> does not match the CN given in the certificate. It does not override
> other error cases, such as expired certificates. Unfortunately,
> there is currently no way to ignore other error conditions.
>
There is a bug in Subversion 1.8.0-1.8.1 that hostname check is
case-sensitive, while it should be case-insensitive. Subversion
canonicalize request hostname to lowercase so you get CN mistmatch if
you have uppercase letters in your server certificate. This problem
should be fixed in upcoming Subversion 1.8.3:
* ra_serf: ignore case when checking certificate common names (r1514763)

Is it your case?

-- 
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com

Re: Can't not confirm untrusted certificate

Posted by Stefan Sperling <st...@elego.de>.

On Mon, Aug 26, 2013 at 12:30:02AM +0300, Sergiy Tkachuk wrote:
> Hello,
> 
> I am using TortoiseSVN 1.8.1, Build 24570 - 32 Bit , 2013/07/22
> 18:28:29, Subversion 1.8.1, -release, apr 1.4.8, apr-util 1.5.2,
> serf 1.3.0, OpenSSL 1.0.1e 11 Feb 2013, zlib 1.2.8
> 
> I created batch file and want to call it from Jenkins CI.
> 
> The command line follows:
> svn update --trust-server-cert --non-interactive --username UserName
> --password Password FolderName
> 
> If I run it from cmd.exe it is ok.
> 
> But if I run it from Jankins, it fails with error:
> 
> svn: E230001: Unable to connect to a repository at URL 'https://server/path  <https://www.aim-inc-usa.net:8086/svn/dev/ExactWire/trunk/samples/SandboxCi>'
> svn: E230001: Server SSL certificate untrusted
> 
> I found similar question at SO http://stackoverflow.com/questions/17177405/svn-server-ssl-certificate-untrusted-from-post-commit-hook
> , but there is no answer for it.
> 
> How can I fix the issue?
> 
> Thanks in advance,
> 
> -- 
> Best wishes,
> Sergiy Tkachuk
> 

The --trust-server-cert option only overrides errors where the hostname
does not match the CN given in the certificate. It does not override
other error cases, such as expired certificates. Unfortunately,
there is currently no way to ignore other error conditions.

I consider this is a bug. Subversion should allow for tolerating
other SSL errors, too. But so far no fix has been implemented.
So for now, you might need to ask the admins of the service to fix
their cert.