[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Re: Subversion Ruby Binding: Server certificate verification failed: issuer is not trusted

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Fri, 12 Apr 2013 15:10:58 +0300

Christian Plewnia wrote on Fri, Apr 12, 2013 at 11:41:34 +0200:
> Hi,
>
> thank you for your reply.
>
> > Daniel Shahaf wrote on Thu, Apr 11, 2013 at 23:00:08 +0300:
> > > Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> > > > Hi,
> > > >
> > > > I have been trying for some hours to use the ruby subversion binding to
> > > > do a repository checkout. Unfortunately, the server certificate is not
> > > > accepted:
> > > >
> > > > $ /.../script.rb
> > > > /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> > > > Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> > > > from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> > > > from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> > > > from /.../script.rb:22:in `<main>'
> > > >
> > > > Using the SVN client from command line I never faced any certificate
> > > > issues (as far as I know the certificate is perfectly valid). However, I
> > > > started looking for a way to make the ruby script accept the
> > > > certificate. As to my knowledge there is no documentation for the ruby
> > > > binding, so I looked into the ruby files of the ruby binding and into
> > > > the documentation of the C binding but I could not find a solution.
> > > >
> > >
> > > Look at svn_cmdline_create_auth_baton(). You need to pass
> > > trust_server_cert=TRUE (in C terms) or implement a prompt provider that
> > > answers affirmatively.
> > >
> > > (or reconfigure your SSL library to trust that certificate by default,
> > > in a level below Subversion)
> > >
> > > > The script (see below) is taken from the best piece of documentation I
> > > > could find in the web:
> > > >
> > > > http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
> > ...
> > > > ctx = Svn::Client::Context.new()
> > > > ctx.add_simple_provider
> > > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > > > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> > > >
> >
> > I haven't seen this script in your previous example. The issue here is
> > that the "simple provider" only answers username/password prompts; you
> > need to a separate provider that answers SSL server certificate prompts.
>
> I looked into the other providers. The Authenticatable module in the
> Ruby binding provides the following methods:
>
> add_simple_provider
> add_username_provider
> add_ssl_client_cert_file_provider
> add_ssl_client_cert_pw_file_provider
> add_ssl_server_trust_file_provider
> add_simple_prompt_provider
> add_username_prompt_provider
> add_ssl_server_trust_prompt_provider
> add_ssl_client_cert_prompt_provider
> add_ssl_client_cert_pw_prompt_provider
> add_platform_specific_client_providers
>
> I thought the add_ssl_server_trust_prompt_provider() might be right for
> solving my issue. However, this just lets me manipulate an

Agreed.

> AuthCredSSLServerTrust object which I think maps to the C struct
> svn_auth_cred_ssl_server_trust_t, which does not let me set something
> like trust_server_cert in svn_cmdline_create_auth_baton().
>
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>

I don't know. If it isn't mapped, you could send a patch that adds the
mapping (http://subversion.apache.org/patches) or construct an
auth_baton yourself and use that in your client context object.

> > > > begin
> > > > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > > > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > > > raise "no such revision " + revision.to_s + " at " + repos_uri
> > > > end
> > > > ------------------------------------------------------------------------
> >
>
> Kinds regards
> Christian
Received on 2013-04-12 14:11:37 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.