Re: svn on OSX 10.7.3 can't find CA certificates

From: Zachary Burnham <zburnham_at_efi.org>
Date: Mon, 12 Mar 2012 09:11:54 -0400

I don't believe I was getting this before I upgraded to Lion (10.7). OS X does something kind of funky with ssl certificates, it keeps them in the "keychain" which applications can then access. I did find instructions for how to export the certificate and put it somewhere where svn can find it, but unfortunately they didn't work for me.

I don't have access to the server where this repository lives, unfortunately. I'm also not sure how to check to see what version of the OpenSSL library this was built against.

On Mar 12, 2012, at 9:06 AM, Johan Corveleyn wrote:

On Mon, Mar 12, 2012 at 2:00 PM, Zachary Burnham <zburnham_at_efi.org<mailto:zburnham_at_efi.org>> wrote:
I'd have thought that providing relevant information would have been helpful
.

Nevertheless, I'm still having trouble with this. I've exported the
relevant CA certificate and edited ~ /.subversion/servers to look for it. I
know that it's finding it, because when I deliberately misspell the file
name, it gives me a different error (svn: Invalid config: unable to load
certificate file '/<home>/.subversion/geotruste.pem') than I have been
seeing previously (SSL certificate checks failed: Server certificate
verification failed: issuer is not trusted). Is there something else I can
try?

Random suggestion: does the server provide the entire certificate
chain to the client?
In Apache: see the SSLCertificateChainFile directive [1].

Other than that, try to narrow it down:
- Does this only happen with OSX 10.7.3? Can you try with other
platforms? Did it occur with a previous version of OSX?
- The failing svn client: is it built against another openssl version
than svn clients which do succeed?

[1] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile

--
Johan
_____________________
Zachary Burnham
Web Developer
EFI Consumer Division
1 Willow Street, Suite 2
Southborough, Massachusetts  01772-1026
508.870.2277 x4467 (o)
508.983.7880 (f)
zburnham_at_efi.org<mailto:zburnham_at_efi.org>
Corporate: efi.org<http://efi.org/>
Shop: energyfederation.org<http://energyfederation.org/>
Discuss: blog.energyfederation.org<http://blog.energyfederation.org/>
Follow: twitter.com/efi_org<http://twitter.com/efi_org>
CONFIDENTIALITY NOTICE: This message and attachments, if any, is intended only for the designated recipient to which it is addressed. It may contain proprietary information that is confidential or subject to copyright. If you are not the designated addressee or have otherwise received this email in error you are notified that printing, copying or distributing this message is prohibited and may be unlawful, in which case we request that you notify the sender by reply e-mail and permanently delete this message. Thank you.

Received on 2012-03-12 14:13:34 CET

This message: [ Message body ]
Next message: Johan Corveleyn: "Re: svn on OSX 10.7.3 can't find CA certificates"
Previous message: Johan Corveleyn: "Re: svn on OSX 10.7.3 can't find CA certificates"
In reply to: Johan Corveleyn: "Re: svn on OSX 10.7.3 can't find CA certificates"
Next in thread: Johan Corveleyn: "Re: svn on OSX 10.7.3 can't find CA certificates"
Reply: Johan Corveleyn: "Re: svn on OSX 10.7.3 can't find CA certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]