You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Zachary Burnham <zb...@efi.org> on 2012/03/08 20:56:10 UTC

svn on OSX 10.7.3 can't find CA certificates

Hi.  I'm having some trouble with command-line svn on OSX 10.7.3 .  The problem appears to be that subversion can't find the CA certificates that are installed on my system (visible in Keychain Access.)  I get the following error:

$ svn log
Error validating server certificate for 'https://<repo>:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.<repo>
 - Valid: from Sun, 12 Feb 2012 02:34:03 GMT until Mon, 15 Apr 2013 19:02:56 GMT
 - Issuer: GeoTrust, Inc., US
 - Fingerprint: <stuff>

As you can see, the dates are OK, and the CA is valid.  Going to the same url in Safari and Firefox gives a valid SSL connection.  

Does anyone have any suggestions?

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Zachary Burnham <zb...@efi.org>.

On Mar 12, 2012, at 10:31 AM, Andreas Krey wrote:

> On Mon, 12 Mar 2012 10:03:16 +0000, Zachary Burnham wrote:
> ...
>> By the way, is top or bottom posting proper for this list?
> 
> Inline, at the proper point, usually within a full quote. (And having
> 100k HTML for 2k plain text doesn't sound like a good idea either. The
> raw line count of your mail made me look for an attachment.)

I apologize for that.  I'll make future postings plain text.

> 
> Andreas
> 
> -- 
> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
> Date: Fri, 22 Jan 2010 07:29:21 -0800

_____________________
Zachary Burnham
Web Developer
EFI Consumer Division
1 Willow Street, Suite 2
Southborough, Massachusetts  01772-1026
508.870.2277 x4467 (o)
508.983.7880 (f)
zburnham@efi.org

Corporate: efi.org
Shop: energyfederation.org
Discuss: blog.energyfederation.org
Follow: twitter.com/efi_org

CONFIDENTIALITY NOTICE: This message and attachments, if any, is intended only for the designated recipient to which it is addressed. It may contain proprietary information that is confidential or subject to copyright. If you are not the designated addressee or have otherwise received this email in error you are notified that printing, copying or distributing this message is prohibited and may be unlawful, in which case we request that you notify the sender by reply e-mail and permanently delete this message. Thank you.

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Andreas Krey <a....@gmx.de>.

On Mon, 12 Mar 2012 10:03:16 +0000, Zachary Burnham wrote:
...
> By the way, is top or bottom posting proper for this list?

Inline, at the proper point, usually within a full quote. (And having
100k HTML for 2k plain text doesn't sound like a good idea either. The
raw line count of your mail made me look for an attachment.)

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Zachary Burnham <zb...@efi.org>.

On Mar 12, 2012, at 9:51 AM, Johan Corveleyn wrote:

On Mon, Mar 12, 2012 at 2:11 PM, Zachary Burnham <zb...@efi.org>> wrote:
I don't believe I was getting this before I upgraded to Lion (10.7). OS X
does something kind of funky with ssl certificates, it keeps them in the
"keychain" which applications can then access. I did find instructions for
how to export the certificate and put it somewhere where svn can find it,
but unfortunately they didn't work for me.

I don't have access to the server where this repository lives,
unfortunately. I'm also not sure how to check to see what version of the
OpenSSL library this was built against.

Ok, if you don't have control over the repository to make sure the
entire cert-chain is sent, you can try the following: make sure that
the .pem file that you refer to in ~/.subversion/servers contains the
"immediate issuer" of the server cert that you're trying to accept. So
not the top-level CA, but the intermediate CA that has directly issued
the server cert that you want to trust. You should be able to find and
export this by examining the certificate chain from within your
browser (or within the KeyChain tool or something).

And if that works, contact the server administrator and ask him to let
the server provide the chain with the SSLCertificateChainFile
directive, so you can go back to trusting the top-level CA.

--
Johan

It definitely has the 'immediate issuer' cert in it, Keychain Access does that decoding for us on OS X. When you examine the certificate in Safari, it shows three "levels" of certificates.

By the way, is top or bottom posting proper for this list?

_____________________
Zachary Burnham
Web Developer
EFI Consumer Division
1 Willow Street, Suite 2
Southborough, Massachusetts 01772-1026
508.870.2277 x4467 (o)
508.983.7880 (f)
zburnham@efi.org<ma...@efi.org>

Corporate: efi.org<http://efi.org/>
Shop: energyfederation.org<http://energyfederation.org/>
Discuss: blog.energyfederation.org<http://blog.energyfederation.org/>
Follow: twitter.com/efi_org<http://twitter.com/efi_org>

CONFIDENTIALITY NOTICE: This message and attachments, if any, is intended only for the designated recipient to which it is addressed. It may contain proprietary information that is confidential or subject to copyright. If you are not the designated addressee or have otherwise received this email in error you are notified that printing, copying or distributing this message is prohibited and may be unlawful, in which case we request that you notify the sender by reply e-mail and permanently delete this message. Thank you.

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Johan Corveleyn <jc...@gmail.com>.

On Mon, Mar 12, 2012 at 2:11 PM, Zachary Burnham <zb...@efi.org> wrote:
> I don't believe I was getting this before I upgraded to Lion (10.7).  OS X
> does something kind of funky with ssl certificates, it keeps them in the
> "keychain" which applications can then access.  I did find instructions for
> how to export the certificate and put it somewhere where svn can find it,
> but unfortunately they didn't work for me.
>
> I don't have access to the server where this repository lives,
> unfortunately.  I'm also not sure how to check to see what version of the
> OpenSSL library this was built against.

Ok, if you don't have control over the repository to make sure the
entire cert-chain is sent, you can try the following: make sure that
the .pem file that you refer to in ~/.subversion/servers contains the
"immediate issuer" of the server cert that you're trying to accept. So
not the top-level CA, but the intermediate CA that has directly issued
the server cert that you want to trust. You should be able to find and
export this by examining the certificate chain from within your
browser (or within the KeyChain tool or something).

And if that works, contact the server administrator and ask him to let
the server provide the chain with the SSLCertificateChainFile
directive, so you can go back to trusting the top-level CA.

-- 
Johan

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Zachary Burnham <zb...@efi.org>.

I don't believe I was getting this before I upgraded to Lion (10.7). OS X does something kind of funky with ssl certificates, it keeps them in the "keychain" which applications can then access. I did find instructions for how to export the certificate and put it somewhere where svn can find it, but unfortunately they didn't work for me.

I don't have access to the server where this repository lives, unfortunately. I'm also not sure how to check to see what version of the OpenSSL library this was built against.

On Mar 12, 2012, at 9:06 AM, Johan Corveleyn wrote:

On Mon, Mar 12, 2012 at 2:00 PM, Zachary Burnham <zb...@efi.org>> wrote:
I'd have thought that providing relevant information would have been helpful
.

Nevertheless, I'm still having trouble with this. I've exported the
relevant CA certificate and edited ~ /.subversion/servers to look for it. I
know that it's finding it, because when I deliberately misspell the file
name, it gives me a different error (svn: Invalid config: unable to load
certificate file '/<home>/.subversion/geotruste.pem') than I have been
seeing previously (SSL certificate checks failed: Server certificate
verification failed: issuer is not trusted). Is there something else I can
try?

Random suggestion: does the server provide the entire certificate
chain to the client?
In Apache: see the SSLCertificateChainFile directive [1].

Other than that, try to narrow it down:
- Does this only happen with OSX 10.7.3? Can you try with other
platforms? Did it occur with a previous version of OSX?
- The failing svn client: is it built against another openssl version
than svn clients which do succeed?

[1] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile

--
Johan

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Johan Corveleyn <jc...@gmail.com>.

On Mon, Mar 12, 2012 at 2:00 PM, Zachary Burnham <zb...@efi.org> wrote:
> I'd have thought that providing relevant information would have been helpful
> .
>
> Nevertheless, I'm still having trouble with this.  I've exported the
> relevant CA certificate and edited ~ /.subversion/servers to look for it.  I
> know that it's finding it, because when I deliberately misspell the file
> name, it gives me a different error (svn: Invalid config: unable to load
> certificate file '/<home>/.subversion/geotruste.pem') than I have been
> seeing previously (SSL certificate checks failed: Server certificate
> verification failed: issuer is not trusted).  Is there something else I can
> try?

Random suggestion: does the server provide the entire certificate
chain to the client?
In Apache: see the SSLCertificateChainFile directive [1].

Other than that, try to narrow it down:
- Does this only happen with OSX 10.7.3? Can you try with other
platforms? Did it occur with a previous version of OSX?
- The failing svn client: is it built against another openssl version
than svn clients which do succeed?


[1] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile

-- 
Johan

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Zachary Burnham <zb...@efi.org>.

I'd have thought that providing relevant information would have been helpful.

Nevertheless, I'm still having trouble with this. I've exported the relevant CA certificate and edited ~/.subversion/servers to look for it. I know that it's finding it, because when I deliberately misspell the file name, it gives me a different error (svn: Invalid config: unable to load certificate file '/<home>/.subversion/geotruste.pem') than I have been seeing previously (SSL certificate checks failed: Server certificate verification failed: issuer is not trusted). Is there something else I can try?

On Mar 9, 2012, at 5:53 PM, Daniel Shahaf wrote:

Zachary,

Saw your other emails. If you'd like help from this mailing list it's
best to ask us a self-contained question. Forwarding random threads and
raw transcripts to this list will get you nowhere.

Daniel

Greg Stein wrote on Thu, Mar 08, 2012 at 20:26:26 +0000:
On Thu, Mar 08, 2012 at 02:56:10PM -0500, Zachary Burnham wrote:
Hi. I'm having some trouble with command-line svn on OSX 10.7.3 . The problem appears to be that subversion can't find the CA certificates that are installed on my system (visible in Keychain Access.) I get the following error:

$ svn log
Error validating server certificate for 'https://<repo>:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.<repo>
- Valid: from Sun, 12 Feb 2012 02:34:03 GMT until Mon, 15 Apr 2013 19:02:56 GMT
- Issuer: GeoTrust, Inc., US
- Fingerprint: <stuff>

As you can see, the dates are OK, and the CA is valid. Going to the same url in Safari and Firefox gives a valid SSL connection.

Does anyone have any suggestions?

I had the same problem, and came up with the following solution:

1) go into KeyChain Access and find the root certificate that you need
2) select and ctrl-click for the submenu and choose: Export "foo" ...
3) switch the file format to "Privacy Enhance Mail (.pem)"
4) save the result into /Users/whatever/.subversion
5) edit /Users/whatever/.subversion/servers:
ssl-authority-files = /Users/whatever/.subversion/foo.pem

Note that if you need multiple CAs, then use the following format:

ss-authority-files = /Users/whatever/.subversion/first.pem;/Users/whatever/.subversion/second.pem

It is important that there are no spaces around the ";" and that it
resides on a single line.

Hope that helps,
-g

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.

Zachary,

Saw your other emails.  If you'd like help from this mailing list it's
best to ask us a self-contained question.  Forwarding random threads and
raw transcripts to this list will get you nowhere.

Daniel


Greg Stein wrote on Thu, Mar 08, 2012 at 20:26:26 +0000:
> On Thu, Mar 08, 2012 at 02:56:10PM -0500, Zachary Burnham wrote:
> > Hi.  I'm having some trouble with command-line svn on OSX 10.7.3 .  The problem appears to be that subversion can't find the CA certificates that are installed on my system (visible in Keychain Access.)  I get the following error:
> > 
> > $ svn log
> > Error validating server certificate for 'https://<repo>:443':
> >  - The certificate is not issued by a trusted authority. Use the
> >    fingerprint to validate the certificate manually!
> > Certificate information:
> >  - Hostname: *.<repo>
> >  - Valid: from Sun, 12 Feb 2012 02:34:03 GMT until Mon, 15 Apr 2013 19:02:56 GMT
> >  - Issuer: GeoTrust, Inc., US
> >  - Fingerprint: <stuff>
> > 
> > As you can see, the dates are OK, and the CA is valid.  Going to the same url in Safari and Firefox gives a valid SSL connection.  
> > 
> > Does anyone have any suggestions?
> 
> I had the same problem, and came up with the following solution:
> 
> 1) go into KeyChain Access and find the root certificate that you need
> 2) select and ctrl-click for the submenu and choose: Export "foo" ...
> 3) switch the file format to "Privacy Enhance Mail (.pem)"
> 4) save the result into /Users/whatever/.subversion
> 5) edit /Users/whatever/.subversion/servers:
>      ssl-authority-files = /Users/whatever/.subversion/foo.pem
> 
> Note that if you need multiple CAs, then use the following format:
> 
>   ss-authority-files = /Users/whatever/.subversion/first.pem;/Users/whatever/.subversion/second.pem
> 
> It is important that there are no spaces around the ";" and that it
> resides on a single line.
> 
> Hope that helps,
> -g

Re: svn on OSX 10.7.3 can't find CA certificates

Posted by Greg Stein <gs...@gmail.com>.

On Thu, Mar 08, 2012 at 02:56:10PM -0500, Zachary Burnham wrote:
> Hi.  I'm having some trouble with command-line svn on OSX 10.7.3 .  The problem appears to be that subversion can't find the CA certificates that are installed on my system (visible in Keychain Access.)  I get the following error:
> 
> $ svn log
> Error validating server certificate for 'https://<repo>:443':
>  - The certificate is not issued by a trusted authority. Use the
>    fingerprint to validate the certificate manually!
> Certificate information:
>  - Hostname: *.<repo>
>  - Valid: from Sun, 12 Feb 2012 02:34:03 GMT until Mon, 15 Apr 2013 19:02:56 GMT
>  - Issuer: GeoTrust, Inc., US
>  - Fingerprint: <stuff>
> 
> As you can see, the dates are OK, and the CA is valid.  Going to the same url in Safari and Firefox gives a valid SSL connection.  
> 
> Does anyone have any suggestions?

I had the same problem, and came up with the following solution:

1) go into KeyChain Access and find the root certificate that you need
2) select and ctrl-click for the submenu and choose: Export "foo" ...
3) switch the file format to "Privacy Enhance Mail (.pem)"
4) save the result into /Users/whatever/.subversion
5) edit /Users/whatever/.subversion/servers:
     ssl-authority-files = /Users/whatever/.subversion/foo.pem

Note that if you need multiple CAs, then use the following format:

  ss-authority-files = /Users/whatever/.subversion/first.pem;/Users/whatever/.subversion/second.pem

It is important that there are no spaces around the ";" and that it
resides on a single line.

Hope that helps,
-g