You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Chris Rose <of...@gmail.com> on 2004/12/29 01:21:12 UTC
Configuring mod_ssl for subverion. (AAARGH!!!)
Well, this has been an odyssey.
I'm running a debian-based distro for my svn server, with apache 2
with mod_ssl installed (And working, at least somewhat)
mod_dav_svn works as well, as does mod_authz_svn, as far as I am able to tell.
I am able to browse my repository just fine at
http://host.domain/repo/personal/ and also at
https://host.domain/repo/personal, using a web browser. However, when
I try to connect using the command line client:
svn co http://host.domain/repo/personal/project1 .
I get three consecutive requests for a client key:
Authentication realm: https://host.domain:443
Client certificate filename: ...
This happens twice (six requests) in a checkout, or once in an update
(three requests) and then the update/checkout/other operation proceeds
apparently as normal.
I have, I thought, created valid and working CA certificates from the
instructions at
http://svn.red-bean.com/viewcvs/main/3bits/servercert_3bits.txt?rev=127
These are loaded in the virtual server definition for Apache using the lines
SSLCACertificatePath /etc/apache2/svn/private
SSLCACertificateFile /etc/apache2/svn/private/ca.crt
SSLCertificateFile /etc/apache2/svn/private/server.crt
SSLCertificateKeyFile /etc/apache2/svn/private/server.key
I then created a server.pem file for my client with the instructions here:
http://www.pseudonym.org/ssl/ssl_apache.html
And converted it to a pem certificate with the instructions on the
red-bean site.
However, this does not seem to work.
Can someone help me out here? I don't *need* ssl working, but I'm
leery of doing all my development from school without it, and I can
only guarantee that port 80 will work for me, not anything else, so
svn+ssh isn't an option. As a consequence, I'd like to get mod_ssl to
do what I want it to.
Is there a step-by-step "Create a CA, a server cert, and any number of
client certs" instruction set for making this work? I'm more than
willing to provide domain name specifics and apache2 configuration
info (A lot of oddly organized include files) to anyone who is willing
to help me out.
--
Chris R.
======
Not to be taken literally, internally, or seriously.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Configuring mod_ssl for subverion. (AAARGH!!!)
Posted by John Szakmeister <jo...@szakmeister.net>.
On Tuesday 28 December 2004 20:21, Chris Rose wrote:
> Well, this has been an odyssey.
[snip]
> Can someone help me out here? I don't *need* ssl working, but I'm
> leery of doing all my development from school without it, and I can
> only guarantee that port 80 will work for me, not anything else, so
> svn+ssh isn't an option. As a consequence, I'd like to get mod_ssl to
> do what I want it to.
>
> Is there a step-by-step "Create a CA, a server cert, and any number of
> client certs" instruction set for making this work? I'm more than
> willing to provide domain name specifics and apache2 configuration
> info (A lot of oddly organized include files) to anyone who is willing
> to help me out.
This may not be an answer you want to hear, but there is a good book
called the "Linux Security Cookbook". It has all the appropriate steps
in there. I believe it's offered as part of the O'Reilly Safari
bookshelf, so you can examine the contents of the book online free for 14
days (you have to sign up though). Or, it may already be present at your
local library or work place.
You might want to check the OpenSSL RPM that came with your distribution.
There is usually a CA.pl or CA.sh that walks you through the steps of
creating a CA. It might even help you self-sign a certificate... it's
been a while since I've used it.
HTH!
-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Configuring mod_ssl for subverion. (AAARGH!!!)
Posted by David Kramer <da...@thekramers.net>.
On Tue, 28 Dec 2004, Chris Rose wrote:
>
> Can someone help me out here? I don't *need* ssl working, but I'm
> leery of doing all my development from school without it, and I can
> only guarantee that port 80 will work for me, not anything else, so
> svn+ssh isn't an option. As a consequence, I'd like to get mod_ssl to
> do what I want it to.
>
> Is there a step-by-step "Create a CA, a server cert, and any number of
> client certs" instruction set for making this work? I'm more than
> willing to provide domain name specifics and apache2 configuration
> info (A lot of oddly organized include files) to anyone who is willing
> to help me out.
Not sure how relevant it is, but this might give you some clues.
http://www.openssl.org/docs/HOWTO/certificates.txt
HTH
----------------------------------------------------------------------------
DDDD David Kramer david@thekramers.net http://thekramers.net
DK KD
DKK D "The difference between playing the stock market and
DK KD the horses is that one of the horses must win."
DDDD -Joey Adams (1911) US comedian, author "Reader's Digest," 1 Aug. 1985.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Configuring mod_ssl for subverion. (AAARGH!!!)
Posted by Chris Rose <of...@gmail.com>.
The problem with that -- and I DID consider it -- is that there's at
least one person who needs read access to parts of the repository who
does not have a working svn client (for reasons I am neither qualified
to diagnose nor wish to get into) and as such has to access it via the
web. For security purposes, I would like to have this working with
ssl.
<snip my own grumpiness>
Basically, I don't have a domain, nor do I have a static IP and I am
not a server admin by trade. Is there any way for me, lacking as I do
those skills, to set up the repository to do what I need it to?
Obviously it can be done, since (I assume) there are people reading
this list right now that can do svn co https:// ... to check out a
project. *How* they do it, well, that's what I'd like to know.
On Wed, 29 Dec 2004 00:25:46 -0700, Kevin Williams <ke...@bantamtech.com> wrote:
> I faced the same problem once. I chose to have sshd listen on port 443
> as well as 22, so that I could use a firewall-acceptable port to connect
> to ssh. I then tunneled the server's port 3690 (svnserve) to my
> workstation and used svn://localhost.
>
> Yeah, it's a hack. By the time I get to the AAARGH!!! stage, I start
> hacking things together. ;)
>
>
> Chris Rose wrote:
> > Well, this has been an odyssey.
> >
> > I'm running a debian-based distro for my svn server, with apache 2
> > with mod_ssl installed (And working, at least somewhat)
> >
> > mod_dav_svn works as well, as does mod_authz_svn, as far as I am able to tell.
> >
> > I am able to browse my repository just fine at
> > http://host.domain/repo/personal/ and also at
> > https://host.domain/repo/personal, using a web browser. However, when
> > I try to connect using the command line client:
> >
> > svn co http://host.domain/repo/personal/project1 .
> >
> > I get three consecutive requests for a client key:
> >
> > Authentication realm: https://host.domain:443
> > Client certificate filename: ...
> >
> > This happens twice (six requests) in a checkout, or once in an update
> > (three requests) and then the update/checkout/other operation proceeds
> > apparently as normal.
> >
> > I have, I thought, created valid and working CA certificates from the
> > instructions at
> > http://svn.red-bean.com/viewcvs/main/3bits/servercert_3bits.txt?rev=127
> >
> > These are loaded in the virtual server definition for Apache using the lines
> > SSLCACertificatePath /etc/apache2/svn/private
> > SSLCACertificateFile /etc/apache2/svn/private/ca.crt
> > SSLCertificateFile /etc/apache2/svn/private/server.crt
> > SSLCertificateKeyFile /etc/apache2/svn/private/server.key
> >
> > I then created a server.pem file for my client with the instructions here:
> > http://www.pseudonym.org/ssl/ssl_apache.html
> >
> > And converted it to a pem certificate with the instructions on the
> > red-bean site.
> >
> > However, this does not seem to work.
> >
> > Can someone help me out here? I don't *need* ssl working, but I'm
> > leery of doing all my development from school without it, and I can
> > only guarantee that port 80 will work for me, not anything else, so
> > svn+ssh isn't an option. As a consequence, I'd like to get mod_ssl to
> > do what I want it to.
> >
> > Is there a step-by-step "Create a CA, a server cert, and any number of
> > client certs" instruction set for making this work? I'm more than
> > willing to provide domain name specifics and apache2 configuration
> > info (A lot of oddly organized include files) to anyone who is willing
> > to help me out.
>
> ----------
> Scanned for viruses by ClamAV
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
--
Chris R.
======
Not to be taken literally, internally, or seriously.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Configuring mod_ssl for subverion. (AAARGH!!!)
Posted by Kevin Williams <ke...@bantamtech.com>.
I faced the same problem once. I chose to have sshd listen on port 443
as well as 22, so that I could use a firewall-acceptable port to connect
to ssh. I then tunneled the server's port 3690 (svnserve) to my
workstation and used svn://localhost.
Yeah, it's a hack. By the time I get to the AAARGH!!! stage, I start
hacking things together. ;)
Chris Rose wrote:
> Well, this has been an odyssey.
>
> I'm running a debian-based distro for my svn server, with apache 2
> with mod_ssl installed (And working, at least somewhat)
>
> mod_dav_svn works as well, as does mod_authz_svn, as far as I am able to tell.
>
> I am able to browse my repository just fine at
> http://host.domain/repo/personal/ and also at
> https://host.domain/repo/personal, using a web browser. However, when
> I try to connect using the command line client:
>
> svn co http://host.domain/repo/personal/project1 .
>
> I get three consecutive requests for a client key:
>
> Authentication realm: https://host.domain:443
> Client certificate filename: ...
>
> This happens twice (six requests) in a checkout, or once in an update
> (three requests) and then the update/checkout/other operation proceeds
> apparently as normal.
>
> I have, I thought, created valid and working CA certificates from the
> instructions at
> http://svn.red-bean.com/viewcvs/main/3bits/servercert_3bits.txt?rev=127
>
> These are loaded in the virtual server definition for Apache using the lines
> SSLCACertificatePath /etc/apache2/svn/private
> SSLCACertificateFile /etc/apache2/svn/private/ca.crt
> SSLCertificateFile /etc/apache2/svn/private/server.crt
> SSLCertificateKeyFile /etc/apache2/svn/private/server.key
>
> I then created a server.pem file for my client with the instructions here:
> http://www.pseudonym.org/ssl/ssl_apache.html
>
> And converted it to a pem certificate with the instructions on the
> red-bean site.
>
> However, this does not seem to work.
>
> Can someone help me out here? I don't *need* ssl working, but I'm
> leery of doing all my development from school without it, and I can
> only guarantee that port 80 will work for me, not anything else, so
> svn+ssh isn't an option. As a consequence, I'd like to get mod_ssl to
> do what I want it to.
>
> Is there a step-by-step "Create a CA, a server cert, and any number of
> client certs" instruction set for making this work? I'm more than
> willing to provide domain name specifics and apache2 configuration
> info (A lot of oddly organized include files) to anyone who is willing
> to help me out.
----------
Scanned for viruses by ClamAV
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Configuring mod_ssl for subverion. (AAARGH!!!)
Posted by VK Sameer <sa...@collab.net>.
On Wed, 2004-12-29 at 06:51, Chris Rose wrote:
> Is there a step-by-step "Create a CA, a server cert, and any number of
> client certs" instruction set for making this work? I'm more than
> willing to provide domain name specifics and apache2 configuration
> info (A lot of oddly organized include files) to anyone who is willing
> to help me out.
I've no idea how useful this document might be, since it is for a
Windows environment, but have you seen the TortoiseSVN server setup doc?
http://tortoisesvn.tigris.org/docs/TortoiseSVN_en/ch03.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org