You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Pat Farrell <pf...@pfarrell.com> on 2009/03/18 01:44:02 UTC

svn over HTTPS works everywhere but on the server host itself

I recently upgraded from Debian Etch to Lenny, and something changed in
my subversion setup locally. I'm using apache2/ssl/svn (1.5.1)

Antwort: Re: svn over HTTPS works everywhere but on the server host itself

Posted by j....@interabo.de.
PDF-Produktion 10:49 Uhr

Lager Zugang von 1.250 Rucksäcken um 13:45Uhr gebucht.


Die Säcke waren also zum Versandzeitpunkt nicht da.



--
Mit freundlichen Grüßen
i.A. Jörg Rathjens

Programmentwicklung
________________________________________________________________________

interabo                                        Tel. +49-(0)40/23670-376
Betreuungs-GmbH                                 Fax  +49-(0)40/23670-108
Wendenstr. 25, 20097 Hamburg                      j.rathjens@interabo.de
Geschäftsführer: Peter Drawert, Uwe Henning, Jürgen Rosenboom
Amtsgericht Hamburg HRB 35763
________________________________________________________________________





-----JeremyP <je...@jeremyp.net> schrieb: -----


An: Pat Farrell <pf...@pfarrell.com>
Von: JeremyP <je...@jeremyp.net>
Datum: 18.03.2009 11:31
Kopie: JeremyP <je...@jeremyp.net>, users@subversion.tigris.org
Betreff: Re: svn over HTTPS works everywhere but on the server host itself

On 18 Mar 2009, at 04:33, Pat Farrell wrote:

> Konstantin Kolinko wrote:
>> Are you able to access https://localhost/with a web browser?
>
> Not with a real browser, its headless.
>
>> wget --no-check-certificate https://www.pfarrell.com/
>
> Interesting. That works if I comment out the /etc/hosts
> assignment of www.pfarrell.com to localhost.
>
> It fails if I leave it commented in.
> Same external command, different resolution of name:
> wget --no-check-certificate https://www.pfarrell.com/
> --2009-03-18 00:29:37--  https://www.pfarrell.com/
> Resolving www.pfarrell.com... 127.0.1.1
> Connecting to www.pfarrell.com|127.0.1.1|:443... failed: Connection
> refused.

What about

https://127.0.1.1

does that work?  or

https://127.0.0.1

I think you should either leave www.pfarrell.com out of /etc/hosts or
put it on the entry for your network card address, not the loopback
interface.


>
>
>
> I did that because the self signed cert was causing assorted whining
> when I did a "sudo" command.
>
> $ su
> sudo: unable to resolve host www
>
>
> This all used to work fine with Debian Etch
>
> Thanks
> pat
>
> ------------------------------------------------------
>
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1345205

>
> To unsubscribe from this discussion, e-mail:
[users-unsubscribe@subversion.tigris.org
> ].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1347261


To unsubscribe from this discussion, e-mail:
[users-unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1347896

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by JeremyP <je...@jeremyp.net>.
On 18 Mar 2009, at 04:33, Pat Farrell wrote:

> Konstantin Kolinko wrote:
>> Are you able to access https://localhost/ with a web browser?
>
> Not with a real browser, its headless.
>
>> wget --no-check-certificate https://www.pfarrell.com/
>
> Interesting. That works if I comment out the /etc/hosts
> assignment of www.pfarrell.com to localhost.
>
> It fails if I leave it commented in.
> Same external command, different resolution of name:
> wget --no-check-certificate https://www.pfarrell.com/
> --2009-03-18 00:29:37--  https://www.pfarrell.com/
> Resolving www.pfarrell.com... 127.0.1.1
> Connecting to www.pfarrell.com|127.0.1.1|:443... failed: Connection  
> refused.

What about

https://127.0.1.1

does that work?  or

https://127.0.0.1

I think you should either leave www.pfarrell.com out of /etc/hosts or  
put it on the entry for your network card address, not the loopback  
interface.


>
>
>
> I did that because the self signed cert was causing assorted whining
> when I did a "sudo" command.
>
> $ su
> sudo: unable to resolve host www
>
>
> This all used to work fine with Debian Etch
>
> Thanks
> pat
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1345205
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org 
> ].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1347261

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: svn over HTTPS works everywhere but on the server host itself

Posted by Ul...@elektrobit.com.
Pat Farrell wrote:
> Konstantin Kolinko wrote:
>> Are you able to access https://localhost/ with a web browser?
> 
> Not with a real browser, its headless.
> 
>> wget --no-check-certificate https://www.pfarrell.com/
> 
> Interesting. That works if I comment out the /etc/hosts
> assignment of www.pfarrell.com to localhost.
> 
> It fails if I leave it commented in.
> Same external command, different resolution of name:
> wget --no-check-certificate https://www.pfarrell.com/
> --2009-03-18 00:29:37--  https://www.pfarrell.com/ Resolving
> www.pfarrell.com... 127.0.1.1 Connecting to
> www.pfarrell.com|127.0.1.1|:443... failed: Connection refused.

Can you check your Apache config on which addresses it listens on port 443?

You should have a line in your /etc/hosts that points to the "real" IP of your server, not the 127.0.1.1 - comment out the 127.0.1.1, then add the "www www.pfarrell.com" to the end of the line with the real IP. 

Now try again. :-)

> I did that because the self signed cert was causing assorted
> whining when I did a "sudo" command.
> 
> $ su
> sudo: unable to resolve host www

No idea why it does that. 

> This all used to work fine with Debian Etch

I guess now it's time to post your Apache config... :-)

Best regards

Ullrich Jans

-- 
Ullrich Jans, Application Support, IM
Phone: +49 9131 7701-6627, mailto:ullrich.jans@elektrobit.com 
Fax: +49 9131 7701-6333, www.elektrobit.com

Elektrobit Automotive GmbH, Am Wolfsmantel 46, 91058 Erlangen, Germany
Managing Directors: Otto Fößel, Jarkko Sairanen
Register Court Fürth HRB 4886 


----------------------------------------------------------------
Please note: This e-mail may contain confidential information
intended solely for the addressee. If you have received this
e-mail in error, please do not disclose it to anyone, notify
the sender promptly, and delete the message from your system.
Thank you.

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Pat Farrell <pf...@pfarrell.com>.
Konstantin Kolinko wrote:
> Are you able to access https://localhost/ with a web browser?

Not with a real browser, its headless.

> wget --no-check-certificate https://www.pfarrell.com/

Interesting. That works if I comment out the /etc/hosts
assignment of www.pfarrell.com to localhost.

It fails if I leave it commented in.
Same external command, different resolution of name:
wget --no-check-certificate https://www.pfarrell.com/
--2009-03-18 00:29:37--  https://www.pfarrell.com/
Resolving www.pfarrell.com... 127.0.1.1
Connecting to www.pfarrell.com|127.0.1.1|:443... failed: Connection refused.


I did that because the self signed cert was causing assorted whining
when I did a "sudo" command.

$ su
sudo: unable to resolve host www


This all used to work fine with Debian Etch

Thanks
pat

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1345205

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Konstantin Kolinko <kn...@gmail.com>.
2009/3/18 Pat Farrell <pf...@pfarrell.com>:
> Konstantin Kolinko wrote:
>> What is the output of "svn --version"?
>
> svn, version 1.5.1 (r32289)
>   compiled Dec 31 2008, 06:38:09
>
> Copyright (C) 2000-2008 CollabNet.
> Subversion is open source software, see http://subversion.tigris.org/
> This product includes software developed by CollabNet
> (http://www.Collab.Net/).
>
> The following repository access (RA) modules are available:
>
> * ra_neon : Module for accessing a repository via WebDAV protocol using
> Neon.
>  - handles 'http' scheme
>  - handles 'https' scheme
> * ra_svn : Module for accessing a repository using the svn network protocol.
>  - with Cyrus SASL authentication
>  - handles 'svn' scheme
> * ra_local : Module for accessing a repository on local disk.
>  - handles 'file' scheme
> * ra_serf : Module for accessing a repository via WebDAV protocol using
> serf.
>  - handles 'http' scheme
>  - handles 'https' scheme
>
>> If those are not mentioned, it means that svn client was compiled
>> without https support.
>
> The svn client was installed from the Debian Lenny repositories.
> No local compiling.
>
>
>>
>>
>> Does https://localhost/ work for you?
>
> No, same result
>

Are you able to access https://localhost/ with a web browser?
E.g.
wget --no-check-certificate https://www.pfarrell.com/

It should not be firewall/iptables, because usually localhost
connections are allowed.

Also, note that subversion should ask you, whether you trust the
server certificate (and store a record of your acceptance as a file
in ~/.subversion/svn.ssl.server/ ). I do not know, but may be
something prevents it?

Can it be unability to encrypt it? E.g., the same as storing
clear-text passwords on some systems. I have never faced
such one, though.

Surely, you are not using --non-interactive.

Does that ~/.subversion/svn.ssl.server/directory exist already? Deleting it
should cause re-asking for the certificate.
Are access rights on  ~/.subversion/ reasonable?

Is this svn client able to connect to external svn repositories, over
http or https ?


I am sorry, but I probably won't be able to help further. It is
going into specifics I am not familiar with.

Best regards,
Konstantin Kolinko

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1344984

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Pat Farrell <pf...@pfarrell.com>.
Konstantin Kolinko wrote:
> What is the output of "svn --version"?

svn, version 1.5.1 (r32289)
   compiled Dec 31 2008, 06:38:09

Copyright (C) 2000-2008 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet
(http://www.Collab.Net/).

The following repository access (RA) modules are available:

* ra_neon : Module for accessing a repository via WebDAV protocol using
Neon.
  - handles 'http' scheme
  - handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using
serf.
  - handles 'http' scheme
  - handles 'https' scheme

> If those are not mentioned, it means that svn client was compiled
> without https support.

The svn client was installed from the Debian Lenny repositories.
No local compiling.


> 
> 
> Does https://localhost/ work for you?

No, same result

-- 
Pat Farrell
http://www.pfarrell.com/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1344794

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Konstantin Kolinko <kn...@gmail.com>.
2009/3/18 Pat Farrell <pf...@pfarrell.com>:
> Konstantin Kolinko wrote:
>> If your server is behind a NAT router/firewall, it may be not visible from
>> internal network under its public IP address.
>
> This is on the same host, there is no firewall/nat between itself and itself
>
> pfarrell@www:~/sandbox/quad$ ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms
> 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.069 ms
>
> pfarrell@www:~/sandbox/quad$ ping www.pfarrell.com
> PING www.pfarrell.com (127.0.1.1) 56(84) bytes of data.
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=1 ttl=64 time=0.081 ms
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=2 ttl=64 time=0.078 ms
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=3 ttl=64 time=0.058 ms
>

OK.

What is the output of "svn --version"?
Is ra_neon or ra_serf mentioned there, and is
"handles 'https' scheme" phrase mentioned for either one of them?

If those are not mentioned, it means that svn client was compiled
without https support.


Does https://localhost/ work for you?

Best regards,
Konstantin Kolinko

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1344760

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Pat Farrell <pf...@pfarrell.com>.
JeremyP wrote:
> I think your problem is that the Apache server is not listening to
> 127.0.0.1 on port 443.  Since you have already stated that removing the
> /etc/hosts entry for www.pfarrell.com makes it start working, I don't
> understand why you don't leave it removed.

I put it in only to make sudo not complain about not being able to
resolve the host name. Which broke apache/ssl

I want both to work.

-- 
Pat Farrell
http://www.pfarrell.com/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349174

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by JeremyP <je...@jeremyp.net>.
On 18 Mar 2009, at 15:29, Pat Farrell wrote:

> Greg Troxel wrote:
>> 127.0.1.1 is a bogus address.  I get 70.184.242.241 from DNS.  I  
>> would
>> fix your local dns and/or /etc/hosts so that ping works with the  
>> correct
>> address.
>
> Good typo catch.
> Fixed that, and still have the problems.
>
> Thanks

I think your problem is that the Apache server is not listening to  
127.0.0.1 on port 443.  Since you have already stated that removing  
the /etc/hosts entry for www.pfarrell.com makes it start working, I  
don't understand why you don't leave it removed.




>
>
>
> -- 
> Pat Farrell
> http://www.pfarrell.com/
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349031
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org 
> ].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349128

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Pat Farrell <pf...@pfarrell.com>.
Greg Troxel wrote:
> 127.0.1.1 is a bogus address.  I get 70.184.242.241 from DNS.  I would
> fix your local dns and/or /etc/hosts so that ping works with the correct
> address.

Good typo catch.
Fixed that, and still have the problems.

Thanks


-- 
Pat Farrell
http://www.pfarrell.com/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349031

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Greg Troxel <gd...@ir.bbn.com>.
Pat Farrell <pf...@pfarrell.com> writes:

> Konstantin Kolinko wrote:
>> If your server is behind a NAT router/firewall, it may be not visible from
>> internal network under its public IP address.
>
> This is on the same host, there is no firewall/nat between itself and itself
>
> pfarrell@www:~/sandbox/quad$ ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms
> 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.069 ms
>
> pfarrell@www:~/sandbox/quad$ ping www.pfarrell.com
> PING www.pfarrell.com (127.0.1.1) 56(84) bytes of data.
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=1 ttl=64 time=0.081 ms
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=2 ttl=64 time=0.078 ms
> 64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=3 ttl=64 time=0.058 ms

127.0.1.1 is a bogus address.  I get 70.184.242.241 from DNS.  I would
fix your local dns and/or /etc/hosts so that ping works with the correct
address.

It could be that apache/whatever is only listening on the real address
and 127.0.0.1, but not the (quite bizarre) 127.0.1.1.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1348232

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Pat Farrell <pf...@pfarrell.com>.
Konstantin Kolinko wrote:
> If your server is behind a NAT router/firewall, it may be not visible from
> internal network under its public IP address.

This is on the same host, there is no firewall/nat between itself and itself

pfarrell@www:~/sandbox/quad$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.069 ms

pfarrell@www:~/sandbox/quad$ ping www.pfarrell.com
PING www.pfarrell.com (127.0.1.1) 56(84) bytes of data.
64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=2 ttl=64 time=0.078 ms
64 bytes from quad.pfarrell.com (127.0.1.1): icmp_seq=3 ttl=64 time=0.058 ms



-- 
Pat Farrell
http://www.pfarrell.com/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1344691

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over HTTPS works everywhere but on the server host itself

Posted by Konstantin Kolinko <kn...@gmail.com>.
2009/3/18 Pat Farrell <pf...@pfarrell.com>:
> I recently upgraded from Debian Etch to Lenny, and something changed in
> my subversion setup locally. I'm using apache2/ssl/svn (1.5.1)
>
> From my other computers, the client works fine. But on the
> apache/subversion server itself, if I try to use the standard Linux svn
> client, it fails:
>
> svn update
>
> svn: OPTIONS of 'https://www.pfarrell.com/repos/quad': could not connect
> to server (https://www.pfarrell.com)
>
> I don't see any attempt to connect in the apache or syslog.
>
> (...)
>

If your server is behind a NAT router/firewall, it may be not visible from
internal network under its public IP address.

That is, check whether
"ping www.pfarrell.com"
works for you. I guess that it does not.

https://localhost/  should work.

Best regards,
Konstantin Kolinko

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1344661

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].