[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

new cert, "Error validating server certificate"

From: Bryan M <vanillaxtrakt_at_gmail.com>
Date: Tue, 10 Nov 2009 13:48:42 -0600

We have an svn server with https access via apache, dav_svn_module, and
authz_svn_module. We just got a new cert from Verisign, and installed it.
Now, when I try to update my local repository (using svn command line client
in Ubuntu), I get this error (I've replaced our domain with example.com):

Error validating server certificate for 'https://svn.example.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.example.com
 - Valid: from Thu, 05 Nov 2009 00:00:00 GMT until Thu, 11 Nov 2010 23:59:59
GMT
 - Issuer: Terms of use at https://www.verisign.com/rpa (c)09, VeriSign
Trust Network, VeriSign, Inc., US
 - Fingerprint: [removed]
(R)eject, accept (t)emporarily or accept (p)ermanently? ^Csvn: OPTIONS of '
https://svn.example.com/svn/software/trunk': Server certificate verification
failed: issuer is not trusted (https://svn.example.com)

Why would it be giving me this prompt? The certificate is signed by
Verisign, and I updated the cert as well as the ca/intermediate cert on the
server. I don't recall getting this error before with our previous cert.
Using the openssl tool returns the cert as being valid:

$ openssl s_client -connect svn.example.com:443 | grep 'return code'
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 [removed]
verify return:1
    Verify return code: 0 (ok)

This is a client issue, and not a server issue, right? If so, then why
didn't it complain when we were using our previous cert? I thought maybe I
needed to install the intermediate cert somewhere on the client, but the
intermediate CA cert for the old cert isn't on the client, and since it's
connecting through Apache, which has both certs installed, I don't
understand why it wouldn't validate the cert fine. I think I'm just
confusing myself...

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2416273

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-11-10 20:51:27 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.