You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Ryan Schmidt <su...@ryandesign.com> on 2011/05/02 22:03:31 UTC
Error validating server certificate
$ svn info https://svn.macosforge.org/repository/macports
Error validating server certificate for 'https://svn.macosforge.org:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.macosforge.org
- Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
- Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
- Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
(R)eject, accept (t)emporarily or accept (p)ermanently?
I am running Subversion 1.6.17 as installed by MacPorts 1.9.2 on Mac OS X 10.6.7. What do I have to do to get Subversion to recognize that the certificate we are using for Mac OS Forge *is* issued by a trusted authority? I want a solution that does not involve every MacPorts contributor having to see this message and press "p"; I want a solution that does not involve anyone seeing this message at all.
Do I have to somehow provide Subversion with a bundle of well-known trusted certificates? MacPorts includes the port curl-ca-bundle which installs a bundle of certs from Mozilla, and is used by the curl port to be able to access https sites. Can Subversion make use of that same bundle?
Re: Error validating server certificate
Posted by Mark Phippard <ma...@gmail.com>.
On Mon, May 2, 2011 at 4:03 PM, Ryan Schmidt
<su...@ryandesign.com> wrote:
> $ svn info https://svn.macosforge.org/repository/macports
> Error validating server certificate for 'https://svn.macosforge.org:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: *.macosforge.org
> - Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
> - Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
> - Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
> (R)eject, accept (t)emporarily or accept (p)ermanently?
>
>
> I am running Subversion 1.6.17 as installed by MacPorts 1.9.2 on Mac OS X 10.6.7. What do I have to do to get Subversion to recognize that the certificate we are using for Mac OS Forge *is* issued by a trusted authority? I want a solution that does not involve every MacPorts contributor having to see this message and press "p"; I want a solution that does not involve anyone seeing this message at all.
>
> Do I have to somehow provide Subversion with a bundle of well-known trusted certificates? MacPorts includes the port curl-ca-bundle which installs a bundle of certs from Mozilla, and is used by the curl port to be able to access https sites. Can Subversion make use of that same bundle?
I use the binaries that Jeremy Whitlock provides and which you can
download at CollabNet. This is what I get:
$ svn info https://svn.macosforge.org/repository/macports
Path: macports
URL: https://svn.macosforge.org/repository/macports
Repository Root: https://svn.macosforge.org/repository/macports
Repository UUID: d073be05-634f-4543-b044-5fe20cf6d1d6
Revision: 78307
Node Kind: directory
Last Changed Author: gwright@macports.org
Last Changed Rev: 78307
Last Changed Date: 2011-05-02 15:33:44 -0400 (Mon, 02 May 2011)
His binaries use the OpenSSL that comes from Apple and that might be
the difference?
For MacPorts, I would think it would depend upon what is in:
/opt/local/etc/openssl
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: Error validating server certificate
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Mon, 2 May 2011 at 23:34:54 Daniel Shahaf wrote:
> > I am running Subversion 1.6.17
>
> No, you don't. It hasn't been released yet.
Oops, I meant 1.6.16.
On Mon, 2 May 2011 at 16:17:26 Mark Phippard wrote:
> I use the binaries that Jeremy Whitlock provides and which you can
> download at CollabNet. This is what I get:
>
> $ svn info https://svn.macosforge.org/repository/macports
> Path: macports
> URL: https://svn.macosforge.org/repository/macports
> Repository Root: https://svn.macosforge.org/repository/macports
> Repository UUID: d073be05-634f-4543-b044-5fe20cf6d1d6
> Revision: 78307
> Node Kind: directory
> Last Changed Author: gwright_at_macports.org
> Last Changed Rev: 78307
> Last Changed Date: 2011-05-02 15:33:44 -0400 (Mon, 02 May 2011)
>
> His binaries use the OpenSSL that comes from Apple and that might be
> the difference?
>
> For MacPorts, I would think it would depend upon what is in:
>
> /opt/local/etc/openssl
All that's in there is what the openssl port put there:
$ port contents openssl | grep /etc
/opt/local/etc/openssl/misc/CA.pl
/opt/local/etc/openssl/misc/CA.sh
/opt/local/etc/openssl/misc/c_hash
/opt/local/etc/openssl/misc/c_info
/opt/local/etc/openssl/misc/c_issuer
/opt/local/etc/openssl/misc/c_name
/opt/local/etc/openssl/misc/tsget
/opt/local/etc/openssl/openssl.cnf
Perhaps related is this ticket which explains that the openssl port doesn't install any certificates:
https://trac.macports.org/ticket/19247
Which is apparently as the openssl developers intend it:
http://www.openssl.org/support/faq.html#USER16
Which is apparently why we have the curl-ca-bundle port to provide those root certificates for curl's use. But that doesn't help when not using curl (e.g. when using svn). What would we have to do to provide an openssl-global collection of root certificates?
Re: Error validating server certificate
Posted by Mark Phippard <ma...@gmail.com>.
On Mon, May 2, 2011 at 4:34 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Ryan Schmidt wrote on Mon, May 02, 2011 at 15:03:31 -0500:
>> $ svn info https://svn.macosforge.org/repository/macports
>> Error validating server certificate for 'https://svn.macosforge.org:443':
>> - The certificate is not issued by a trusted authority. Use the
>> fingerprint to validate the certificate manually!
>> Certificate information:
>> - Hostname: *.macosforge.org
>> - Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
>> - Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
>> - Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
>> (R)eject, accept (t)emporarily or accept (p)ermanently?
>>
>>
>> I am running Subversion 1.6.17
>
> No, you don't. It hasn't been released yet.
I just assumed it is a typo.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: Error validating server certificate
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Ryan Schmidt wrote on Mon, May 02, 2011 at 15:03:31 -0500:
> $ svn info https://svn.macosforge.org/repository/macports
> Error validating server certificate for 'https://svn.macosforge.org:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: *.macosforge.org
> - Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
> - Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
> - Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
> (R)eject, accept (t)emporarily or accept (p)ermanently?
>
>
> I am running Subversion 1.6.17
No, you don't. It hasn't been released yet.
You *might* be running a "Subversion 1.6.17 (dev build)" --- i.e.,
1.6.16 plus patches. It might say "1.6.17 (under development)" later if
a certain backport proposal (in STATUS) is approved.