You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Daniel Shahaf <d....@daniel.shahaf.name> on 2013/04/11 22:00:08 UTC
Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> Hi,
>
> I have been trying for some hours to use the ruby subversion binding to
> do a repository checkout. Unfortunately, the server certificate is not
> accepted:
>
> $ /.../script.rb
> /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> from /.../script.rb:22:in `<main>'
>
> Using the SVN client from command line I never faced any certificate
> issues (as far as I know the certificate is perfectly valid). However, I
> started looking for a way to make the ruby script accept the
> certificate. As to my knowledge there is no documentation for the ruby
> binding, so I looked into the ruby files of the ruby binding and into
> the documentation of the C binding but I could not find a solution.
>
Look at svn_cmdline_create_auth_baton(). You need to pass
trust_server_cert=TRUE (in C terms) or implement a prompt provider that
answers affirmatively.
(or reconfigure your SSL library to trust that certificate by default,
in a level below Subversion)
> The script (see below) is taken from the best piece of documentation I
> could find in the web:
>
> http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
>
> Does anyone know how to deal with this problem?
>
> Kind regards
> Christian
>
> PS: Please put me into CC as I am not subscribed to the list. Thanks!
>
> My ruby script:
> ------------------------------------------------------------------------
> #!/usr/bin/env ruby
>
> # Required packages
> require "svn/core"
> require "svn/ext/core"
> require "svn/client"
> require "svn/wc"
> require "svn/repos"
>
> config_username = '...'
> config_password = '...'
> config_repository_url = '...'
> config_output_path = '...'
> config_revision = 1
>
> ctx = Svn::Client::Context.new()
> ctx.add_simple_provider
> ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
>
> begin
> ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> raise "no such revision " + revision.to_s + " at " + repos_uri
> end
> ------------------------------------------------------------------------
Re: Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Christian Plewnia wrote on Fri, Apr 12, 2013 at 11:41:34 +0200:
> Hi,
>
> thank you for your reply.
>
> > Daniel Shahaf wrote on Thu, Apr 11, 2013 at 23:00:08 +0300:
> > > Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> > > > Hi,
> > > >
> > > > I have been trying for some hours to use the ruby subversion binding to
> > > > do a repository checkout. Unfortunately, the server certificate is not
> > > > accepted:
> > > >
> > > > $ /.../script.rb
> > > > /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> > > > Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> > > > from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> > > > from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> > > > from /.../script.rb:22:in `<main>'
> > > >
> > > > Using the SVN client from command line I never faced any certificate
> > > > issues (as far as I know the certificate is perfectly valid). However, I
> > > > started looking for a way to make the ruby script accept the
> > > > certificate. As to my knowledge there is no documentation for the ruby
> > > > binding, so I looked into the ruby files of the ruby binding and into
> > > > the documentation of the C binding but I could not find a solution.
> > > >
> > >
> > > Look at svn_cmdline_create_auth_baton(). You need to pass
> > > trust_server_cert=TRUE (in C terms) or implement a prompt provider that
> > > answers affirmatively.
> > >
> > > (or reconfigure your SSL library to trust that certificate by default,
> > > in a level below Subversion)
> > >
> > > > The script (see below) is taken from the best piece of documentation I
> > > > could find in the web:
> > > >
> > > > http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
> > ...
> > > > ctx = Svn::Client::Context.new()
> > > > ctx.add_simple_provider
> > > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> > > >
> >
> > I haven't seen this script in your previous example. The issue here is
> > that the "simple provider" only answers username/password prompts; you
> > need to a separate provider that answers SSL server certificate prompts.
>
> I looked into the other providers. The Authenticatable module in the
> Ruby binding provides the following methods:
>
> add_simple_provider
> add_username_provider
> add_ssl_client_cert_file_provider
> add_ssl_client_cert_pw_file_provider
> add_ssl_server_trust_file_provider
> add_simple_prompt_provider
> add_username_prompt_provider
> add_ssl_server_trust_prompt_provider
> add_ssl_client_cert_prompt_provider
> add_ssl_client_cert_pw_prompt_provider
> add_platform_specific_client_providers
>
> I thought the add_ssl_server_trust_prompt_provider() might be right for
> solving my issue. However, this just lets me manipulate an
Agreed.
> AuthCredSSLServerTrust object which I think maps to the C struct
> svn_auth_cred_ssl_server_trust_t, which does not let me set something
> like trust_server_cert in svn_cmdline_create_auth_baton().
>
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
I don't know. If it isn't mapped, you could send a patch that adds the
mapping (http://subversion.apache.org/patches) or construct an
auth_baton yourself and use that in your client context object.
> > > > begin
> > > > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > > > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > > > raise "no such revision " + revision.to_s + " at " + repos_uri
> > > > end
> > > > ------------------------------------------------------------------------
> >
>
> Kinds regards
> Christian
Re: Subversion Ruby Binding: Server certificate verification failed:
issuer is not trusted
Posted by Joe Swatosh <jo...@gmail.com>.
On Fri, Apr 12, 2013 at 6:27 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Christian Plewnia wrote on Fri, Apr 12, 2013 at 15:22:52 +0200:
>> For a start I will let Ruby execute the SVN commands on the shell, which
>> is not nice but so far works for me. However, if I find some time I
>> would like to look into extending the mapping. Am I right, that SWIG is
>> used to generate the bindings and everything related to the binding can
>> be found in
>> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
>>
>> If I find the time and get some results I will of course let you know.
>
> If you have any questions about implementing the change, feel free to
> ask on #svn-dev (on Freenode) or on the dev@ list. The list is probably
> better in this case since we don't have many swig/rb experts.
>
> Daniel
I don't have nearly the time I'd like (or used to have) to work on the
bindings, so if you have improvements please submit patches (bug
fixes, docs, improved test coverage, updating existing methods to use
non-deprecated APIs, all welcome) to the dev list.
--
Joe
Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Christian Plewnia wrote on Fri, Apr 12, 2013 at 15:22:52 +0200:
> For a start I will let Ruby execute the SVN commands on the shell, which
> is not nice but so far works for me. However, if I find some time I
> would like to look into extending the mapping. Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
>
> If I find the time and get some results I will of course let you know.
If you have any questions about implementing the change, feel free to
ask on #svn-dev (on Freenode) or on the dev@ list. The list is probably
better in this case since we don't have many swig/rb experts.
Daniel
Re: Aw: Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 04/12/2013 08:31 AM, C. Michael Pilato wrote:
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
>> So my problem is that I cannot find out how
>> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
Huh. Turned out not to be that difficult. (Translation: "I'm an idiot and
should have done this yeeeeeeeears ago.")
http://svn.apache.org/r1467302
I tested this with Python only, but I have no reason to believe that it
won't work with Ruby and Perl, too. (Please do test it, though, if you can!)
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Re: Subversion Ruby Binding: Server certificate verification failed:
issuer is not trusted
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 04/12/2013 09:22 AM, Christian Plewnia wrote:
> Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
You are correct.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by Christian Plewnia <ch...@gmx.de>.
Hi,
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
> > So my problem is that I cannot find out how
> > svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
Thanks for the information.
> --
> C. Michael Pilato <cm...@collab.net>
> CollabNet <> www.collab.net <> Enterprise Cloud Development
For a start I will let Ruby execute the SVN commands on the shell, which
is not nice but so far works for me. However, if I find some time I
would like to look into extending the mapping. Am I right, that SWIG is
used to generate the bindings and everything related to the binding can
be found in
http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
If I find the time and get some results I will of course let you know.
Kind regards
Christian
Re: Aw: Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 04/12/2013 05:41 AM, Christian Plewnia wrote:
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
It's not mapped. I wish it was, and may spend some time on that soon,
because I need that function for the Python bindings.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Aw: Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by Christian Plewnia <ch...@gmx.de>.
Hi,
thank you for your reply.
> Daniel Shahaf wrote on Thu, Apr 11, 2013 at 23:00:08 +0300:
> > Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> > > Hi,
> > >
> > > I have been trying for some hours to use the ruby subversion binding to
> > > do a repository checkout. Unfortunately, the server certificate is not
> > > accepted:
> > >
> > > $ /.../script.rb
> > > /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> > > Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> > > from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> > > from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> > > from /.../script.rb:22:in `<main>'
> > >
> > > Using the SVN client from command line I never faced any certificate
> > > issues (as far as I know the certificate is perfectly valid). However, I
> > > started looking for a way to make the ruby script accept the
> > > certificate. As to my knowledge there is no documentation for the ruby
> > > binding, so I looked into the ruby files of the ruby binding and into
> > > the documentation of the C binding but I could not find a solution.
> > >
> >
> > Look at svn_cmdline_create_auth_baton(). You need to pass
> > trust_server_cert=TRUE (in C terms) or implement a prompt provider that
> > answers affirmatively.
> >
> > (or reconfigure your SSL library to trust that certificate by default,
> > in a level below Subversion)
> >
> > > The script (see below) is taken from the best piece of documentation I
> > > could find in the web:
> > >
> > > http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
> ...
> > > ctx = Svn::Client::Context.new()
> > > ctx.add_simple_provider
> > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> > >
>
> I haven't seen this script in your previous example. The issue here is
> that the "simple provider" only answers username/password prompts; you
> need to a separate provider that answers SSL server certificate prompts.
I looked into the other providers. The Authenticatable module in the
Ruby binding provides the following methods:
add_simple_provider
add_username_provider
add_ssl_client_cert_file_provider
add_ssl_client_cert_pw_file_provider
add_ssl_server_trust_file_provider
add_simple_prompt_provider
add_username_prompt_provider
add_ssl_server_trust_prompt_provider
add_ssl_client_cert_prompt_provider
add_ssl_client_cert_pw_prompt_provider
add_platform_specific_client_providers
I thought the add_ssl_server_trust_prompt_provider() might be right for
solving my issue. However, this just lets me manipulate an
AuthCredSSLServerTrust object which I think maps to the C struct
svn_auth_cred_ssl_server_trust_t, which does not let me set something
like trust_server_cert in svn_cmdline_create_auth_baton().
So my problem is that I cannot find out how
svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
> > > begin
> > > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > > raise "no such revision " + revision.to_s + " at " + repos_uri
> > > end
> > > ------------------------------------------------------------------------
>
Kinds regards
Christian
Re: Subversion Ruby Binding: Server certificate verification
failed: issuer is not trusted
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Daniel Shahaf wrote on Thu, Apr 11, 2013 at 23:00:08 +0300:
> Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> > Hi,
> >
> > I have been trying for some hours to use the ruby subversion binding to
> > do a repository checkout. Unfortunately, the server certificate is not
> > accepted:
> >
> > $ /.../script.rb
> > /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> > Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> > from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> > from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> > from /.../script.rb:22:in `<main>'
> >
> > Using the SVN client from command line I never faced any certificate
> > issues (as far as I know the certificate is perfectly valid). However, I
> > started looking for a way to make the ruby script accept the
> > certificate. As to my knowledge there is no documentation for the ruby
> > binding, so I looked into the ruby files of the ruby binding and into
> > the documentation of the C binding but I could not find a solution.
> >
>
> Look at svn_cmdline_create_auth_baton(). You need to pass
> trust_server_cert=TRUE (in C terms) or implement a prompt provider that
> answers affirmatively.
>
> (or reconfigure your SSL library to trust that certificate by default,
> in a level below Subversion)
>
> > The script (see below) is taken from the best piece of documentation I
> > could find in the web:
> >
> > http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
...
> > ctx = Svn::Client::Context.new()
> > ctx.add_simple_provider
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> >
I haven't seen this script in your previous example. The issue here is
that the "simple provider" only answers username/password prompts; you
need to a separate provider that answers SSL server certificate prompts.
> > begin
> > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > raise "no such revision " + revision.to_s + " at " + repos_uri
> > end
> > ------------------------------------------------------------------------