You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by js...@pobox.com on 2003/08/08 03:27:28 UTC
ssl-authorities-file
I recently upgraded from Subversion 0.20 to 0.26. When I did so I began
getting the following message:
Error validating server certificate: Unknown certificate issuer. Accept? (y/N):
As best as I can understand it, this is caused because my certificate has
the name "foobar.net" in it but the actual name is "dev.foobar.net". As has
been stated in previous emails to this list, the first time it asks it
waits for an answer, the second time it asks it seems to just quit before
you can answer. I looked through the archives and it seems that the answer
is to use the "ssl-authorities-file" configuration option.
I copied the servers certificate file (foobar.net.crt) to
c:\foobar.net.crt. I inserted the following lines in the servers file:
[groups]
foobar = dev.foobar.net
[foobar]
ssl-authorities-file = /foobar.net.crt
Unfortunately, it continues to ask me the question. My server is running
Linux and my clients are running Windows 2000.
Any suggestions? What am I doing wrong?
Thanks,
Jason Stewart
Re: ssl-authorities-file
Posted by John Locke <ma...@freelock.com>.
jstewart@pobox.com wrote:
> Thanks for replying.
>
>
>> You're confusing the meaning of 'ssl-authorities-file'. It means, "which
>> CA's do I trust?" It's supposed point to the certificate of the
>> *CA* that
>> signed the server cert, not to the server cert itself.
>
>
> I'll not dispute this. However, my certificate is signed by GeoTrust.
> I went to their website (www.geotrust.com <http://www.geotrust.com/>)
> and downloaded their certificate. I changed by servers file to point
> to it and still no joy.
>
You're still confusing the Certificate Authority with the Certificate.
You state in your original email:
> As best as I can understand it, this is caused because my certificate
> has the name "foobar.net" in it but the actual name is "dev.foobar.net".
That sounds like the problem.
In your configuration, all you did was tell Subversion to trust the
Geotrust Certificate Authority to authenticate server certificates--but
your server certificate doesn't match the server, so Subversion
continues to fail.
You can either generate a certificate for dev.foobar.net, sign by
Geotrust (or create your own CA to sign your certificates, and copy your
CA's certificate to c:\foobar.net.crt), and install it in your web
server, or use the ssl-ignore-host-mismatch option in Subversion.
Cheers,
John
P.S. This sounds like it belongs on the Users list, not the Dev list...
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ssl-authorities-file
Posted by js...@pobox.com.
Thanks for replying.
>You're confusing the meaning of 'ssl-authorities-file'. It means, "which
>CA's do I trust?" It's supposed point to the certificate of the *CA* that
>signed the server cert, not to the server cert itself.
I'll not dispute this. However, my certificate is signed by GeoTrust. I
went to their website (www.geotrust.com) and downloaded their certificate.
I changed by servers file to point to it and still no joy.
Jason Stewart
Re: ssl-authorities-file
Posted by su...@collab.net.
> I copied the servers certificate file (foobar.net.crt) to
> c:\foobar.net.crt. I inserted the following lines in the servers file:
>
> [groups]
> foobar = dev.foobar.net
>
> [foobar]
> ssl-authorities-file = /foobar.net.crt
>
>
> Unfortunately, it continues to ask me the question. My server is
> running Linux and my clients are running Windows 2000.
>
> Any suggestions? What am I doing wrong?
You're confusing the meaning of 'ssl-authorities-file'. It means, "which
CA's do I trust?" It's supposed point to the certificate of the *CA* that
signed the server cert, not to the server cert itself.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org