Error validating server certificate

[Ryan Schmidt]

$ svn info https://svn.macosforge.org/repository/macports
Error validating server certificate for 'https://svn.macosforge.org:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.macosforge.org
- Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
- Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
- Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
(R)eject, accept (t)emporarily or accept (p)ermanently?

I am running Subversion 1.6.17 as installed by MacPorts 1.9.2 on Mac OS X 10.6.7. What do I have to do to get Subversion to recognize that the certificate we are using for Mac OS Forge *is* issued by a trusted authority? I want a solution that does not involve every MacPorts contributor having to see this message and press "p"; I want a solution that does not involve anyone seeing this message at all.

Do I have to somehow provide Subversion with a bundle of well-known trusted certificates? MacPorts includes the port curl-ca-bundle which installs a bundle of certs from Mozilla, and is used by the curl port to be able to access https sites. Can Subversion make use of that same bundle?

[Mark Phippard]

I use the binaries that Jeremy Whitlock provides and which you can
download at CollabNet. This is what I get:

$ svn info https://svn.macosforge.org/repository/macports

Path: macports
URL: https://svn.macosforge.org/repository/macports
Repository Root: https://svn.macosforge.org/repository/macports
Repository UUID: d073be05-634f-4543-b044-5fe20cf6d1d6
Revision: 78307
Node Kind: directory
Last Changed Author: gwr...@macports.org
Last Changed Rev: 78307
Last Changed Date: 2011-05-02 15:33:44 -0400 (Mon, 02 May 2011)

His binaries use the OpenSSL that comes from Apple and that might be
the difference?

For MacPorts, I would think it would depend upon what is in:

/opt/local/etc/openssl

--
Thanks

Mark Phippard
http://markphip.blogspot.com/

[Daniel Shahaf]

Ryan Schmidt wrote on Mon, May 02, 2011 at 15:03:31 -0500:
> $ svn info https://svn.macosforge.org/repository/macports
> Error validating server certificate for 'https://svn.macosforge.org:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: *.macosforge.org
> - Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
> - Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
> - Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
> (R)eject, accept (t)emporarily or accept (p)ermanently?
>
>
> I am running Subversion 1.6.17

No, you don't. It hasn't been released yet.

You *might* be running a "Subversion 1.6.17 (dev build)" --- i.e.,
1.6.16 plus patches. It might say "1.6.17 (under development)" later if
a certain backport proposal (in STATUS) is approved.

[Mark Phippard]

On Mon, May 2, 2011 at 4:34 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> Ryan Schmidt wrote on Mon, May 02, 2011 at 15:03:31 -0500:
>> $ svn info https://svn.macosforge.org/repository/macports
>> Error validating server certificate for 'https://svn.macosforge.org:443':
>>  - The certificate is not issued by a trusted authority. Use the
>>    fingerprint to validate the certificate manually!
>> Certificate information:
>>  - Hostname: *.macosforge.org
>>  - Valid: from Thu, 28 Apr 2011 22:45:15 GMT until Sat, 31 May 2014 10:51:08 GMT
>>  - Issuer: (c) 2009 Entrust, Inc., www.entrust.net/rpa is incorporated by reference, Entrust, Inc., US
>>  - Fingerprint: bf:77:a4:84:d4:3e:0c:55:28:3d:2a:37:bc:8a:47:39:76:73:b7:02
>> (R)eject, accept (t)emporarily or accept (p)ermanently?
>>
>>
>> I am running Subversion 1.6.17
>
> No, you don't.  It hasn't been released yet.

I just assumed it is a typo.

[Ryan Schmidt]

On Mon, 2 May 2011 at 23:34:54 Daniel Shahaf wrote:
> > I am running Subversion 1.6.17
>

> No, you don't. It hasn't been released yet.

Oops, I meant 1.6.16.

On Mon, 2 May 2011 at 16:17:26 Mark Phippard wrote:

> I use the binaries that Jeremy Whitlock provides and which you can
> download at CollabNet. This is what I get:
>

> $ svn info https://svn.macosforge.org/repository/macports

> Path: macports
> URL: https://svn.macosforge.org/repository/macports
> Repository Root: https://svn.macosforge.org/repository/macports
> Repository UUID: d073be05-634f-4543-b044-5fe20cf6d1d6
> Revision: 78307
> Node Kind: directory

> Last Changed Author: gwright_at_macports.org

> Last Changed Rev: 78307
> Last Changed Date: 2011-05-02 15:33:44 -0400 (Mon, 02 May 2011)
>
> His binaries use the OpenSSL that comes from Apple and that might be
> the difference?
>
> For MacPorts, I would think it would depend upon what is in:
>
> /opt/local/etc/openssl

All that's in there is what the openssl port put there:

$ port contents openssl | grep /etc
/opt/local/etc/openssl/misc/CA.pl
/opt/local/etc/openssl/misc/CA.sh
/opt/local/etc/openssl/misc/c_hash
/opt/local/etc/openssl/misc/c_info
/opt/local/etc/openssl/misc/c_issuer
/opt/local/etc/openssl/misc/c_name
/opt/local/etc/openssl/misc/tsget
/opt/local/etc/openssl/openssl.cnf

Perhaps related is this ticket which explains that the openssl port doesn't install any certificates:

https://trac.macports.org/ticket/19247

Which is apparently as the openssl developers intend it:

http://www.openssl.org/support/faq.html#USER16

Which is apparently why we have the curl-ca-bundle port to provide those root certificates for curl's use. But that doesn't help when not using curl (e.g. when using svn). What would we have to do to provide an openssl-global collection of root certificates?