Subversion Ruby Binding: Server certificate verification failed: issuer is not trusted
38 views
Skip to first unread message
Christian Plewnia
Apr 11, 2013, 2:51:26 PM4/11/13
to us...@subversion.apache.org
Hi,
I have been trying for some hours to use the ruby subversion binding to
do a repository checkout. Unfortunately, the server certificate is not
accepted:
$ /.../script.rb
/usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
from /.../script.rb:22:in `<main>'
Using the SVN client from command line I never faced any certificate
issues (as far as I know the certificate is perfectly valid). However, I
started looking for a way to make the ruby script accept the
certificate. As to my knowledge there is no documentation for the ruby
binding, so I looked into the ruby files of the ruby binding and into
the documentation of the C binding but I could not find a solution.
The script (see below) is taken from the best piece of documentation I
could find in the web:
http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
Does anyone know how to deal with this problem?
Kind regards
Christian
PS: Please put me into CC as I am not subscribed to the list. Thanks!
My ruby script:
------------------------------------------------------------------------
#!/usr/bin/env ruby
# Required packages
require "svn/core"
require "svn/ext/core"
require "svn/client"
require "svn/wc"
require "svn/repos"
config_username = '...'
config_password = '...'
config_repository_url = '...'
config_output_path = '...'
config_revision = 1
ctx = Svn::Client::Context.new()
ctx.add_simple_provider
ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
begin
ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
raise "no such revision " + revision.to_s + " at " + repos_uri
end
------------------------------------------------------------------------
I have been trying for some hours to use the ruby subversion binding to
do a repository checkout. Unfortunately, the server certificate is not
accepted:
$ /.../script.rb
/usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
from /.../script.rb:22:in `<main>'
Using the SVN client from command line I never faced any certificate
issues (as far as I know the certificate is perfectly valid). However, I
started looking for a way to make the ruby script accept the
certificate. As to my knowledge there is no documentation for the ruby
binding, so I looked into the ruby files of the ruby binding and into
the documentation of the C binding but I could not find a solution.
The script (see below) is taken from the best piece of documentation I
could find in the web:
http://www.markdeepwell.com/2010/06/ruby-subversion-bindings/
Does anyone know how to deal with this problem?
Kind regards
Christian
PS: Please put me into CC as I am not subscribed to the list. Thanks!
My ruby script:
------------------------------------------------------------------------
#!/usr/bin/env ruby
# Required packages
require "svn/core"
require "svn/ext/core"
require "svn/client"
require "svn/wc"
require "svn/repos"
config_username = '...'
config_password = '...'
config_repository_url = '...'
config_output_path = '...'
config_revision = 1
ctx = Svn::Client::Context.new()
ctx.add_simple_provider
ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
begin
ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
raise "no such revision " + revision.to_s + " at " + repos_uri
end
------------------------------------------------------------------------
Daniel Shahaf
Apr 11, 2013, 4:00:08 PM4/11/13
to Christian Plewnia, us...@subversion.apache.org
Christian Plewnia wrote on Thu, Apr 11, 2013 at 20:51:26 +0200:
> Hi,
>
> I have been trying for some hours to use the ruby subversion binding to
> do a repository checkout. Unfortunately, the server certificate is not
> accepted:
>
> $ /.../script.rb
> /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> from /.../script.rb:22:in `<main>'
>
> Using the SVN client from command line I never faced any certificate
> issues (as far as I know the certificate is perfectly valid). However, I
> started looking for a way to make the ruby script accept the
> certificate. As to my knowledge there is no documentation for the ruby
> binding, so I looked into the ruby files of the ruby binding and into
> the documentation of the C binding but I could not find a solution.
>
Look at svn_cmdline_create_auth_baton(). You need to pass
> Hi,
>
> I have been trying for some hours to use the ruby subversion binding to
> do a repository checkout. Unfortunately, the server certificate is not
> accepted:
>
> $ /.../script.rb
> /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `svn_client_checkout3': (Svn::Error::RaDavRequestFailed)
> Svn::Error::RaDavRequestFailed: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)
> from /usr/lib/ruby/site_ruby/1.9.1/svn/util.rb:99:in `checkout3'
> from /usr/lib/ruby/site_ruby/1.9.1/svn/client.rb:143:in `checkout'
> from /.../script.rb:22:in `<main>'
>
> Using the SVN client from command line I never faced any certificate
> issues (as far as I know the certificate is perfectly valid). However, I
> started looking for a way to make the ruby script accept the
> certificate. As to my knowledge there is no documentation for the ruby
> binding, so I looked into the ruby files of the ruby binding and into
> the documentation of the C binding but I could not find a solution.
>
trust_server_cert=TRUE (in C terms) or implement a prompt provider that
answers affirmatively.
(or reconfigure your SSL library to trust that certificate by default,
in a level below Subversion)
Daniel Shahaf
Apr 11, 2013, 4:58:37 PM4/11/13
to Christian Plewnia, us...@subversion.apache.org
> > ctx = Svn::Client::Context.new()
> > ctx.add_simple_provider
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> >
I haven't seen this script in your previous example. The issue here is
> > ctx.add_simple_provider
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_USERNAME] = config_username
> > ctx.auth_baton[Svn::Core::AUTH_PARAM_DEFAULT_PASSWORD] = config_password
> >
that the "simple provider" only answers username/password prompts; you
need to a separate provider that answers SSL server certificate prompts.
Christian Plewnia
Apr 12, 2013, 5:41:34 AM4/12/13
to Daniel Shahaf, us...@subversion.apache.org
Hi,
thank you for your reply.
I looked into the other providers. The Authenticatable module in the
Ruby binding provides the following methods:
add_simple_provider
add_username_provider
add_ssl_client_cert_file_provider
add_ssl_client_cert_pw_file_provider
add_ssl_server_trust_file_provider
add_simple_prompt_provider
add_username_prompt_provider
add_ssl_server_trust_prompt_provider
add_ssl_client_cert_prompt_provider
add_ssl_client_cert_pw_prompt_provider
add_platform_specific_client_providers
I thought the add_ssl_server_trust_prompt_provider() might be right for
solving my issue. However, this just lets me manipulate an
AuthCredSSLServerTrust object which I think maps to the C struct
svn_auth_cred_ssl_server_trust_t, which does not let me set something
like trust_server_cert in svn_cmdline_create_auth_baton().
So my problem is that I cannot find out how
svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
> > > begin
> > > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > > raise "no such revision " + revision.to_s + " at " + repos_uri
> > > end
> > > ------------------------------------------------------------------------
>
Kinds regards
Christian
thank you for your reply.
Ruby binding provides the following methods:
add_simple_provider
add_username_provider
add_ssl_client_cert_file_provider
add_ssl_client_cert_pw_file_provider
add_ssl_server_trust_file_provider
add_simple_prompt_provider
add_username_prompt_provider
add_ssl_server_trust_prompt_provider
add_ssl_client_cert_prompt_provider
add_ssl_client_cert_pw_prompt_provider
add_platform_specific_client_providers
I thought the add_ssl_server_trust_prompt_provider() might be right for
solving my issue. However, this just lets me manipulate an
AuthCredSSLServerTrust object which I think maps to the C struct
svn_auth_cred_ssl_server_trust_t, which does not let me set something
like trust_server_cert in svn_cmdline_create_auth_baton().
So my problem is that I cannot find out how
svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
> > > begin
> > > ctx.checkout(config_repository_url, config_output_path, config_revision.to_i, nil)
> > > rescue Svn::Error::CLIENT_UNRELATED_RESOURCES => e # revision doesn't exist
> > > raise "no such revision " + revision.to_s + " at " + repos_uri
> > > end
> > > ------------------------------------------------------------------------
>
Christian
Daniel Shahaf
Apr 12, 2013, 8:10:58 AM4/12/13
to Christian Plewnia, us...@subversion.apache.org
> AuthCredSSLServerTrust object which I think maps to the C struct
> svn_auth_cred_ssl_server_trust_t, which does not let me set something
> like trust_server_cert in svn_cmdline_create_auth_baton().
>
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
mapping (http://subversion.apache.org/patches) or construct an
auth_baton yourself and use that in your client context object.
C. Michael Pilato
Apr 12, 2013, 8:31:54 AM4/12/13
to Christian Plewnia, Daniel Shahaf, us...@subversion.apache.org
On 04/12/2013 05:41 AM, Christian Plewnia wrote:
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
It's not mapped. I wish it was, and may spend some time on that soon,
> So my problem is that I cannot find out how
> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
because I need that function for the Python bindings.
--
C. Michael Pilato <cmpi...@collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Christian Plewnia
Apr 12, 2013, 9:22:52 AM4/12/13
to C. Michael Pilato, Daniel Shahaf, us...@subversion.apache.org
Hi,
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
> > So my problem is that I cannot find out how
> > svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
Thanks for the information.
> --
> C. Michael Pilato <cmpi...@collab.net>
> CollabNet <> www.collab.net <> Enterprise Cloud Development
For a start I will let Ruby execute the SVN commands on the shell, which
is not nice but so far works for me. However, if I find some time I
would like to look into extending the mapping. Am I right, that SWIG is
used to generate the bindings and everything related to the binding can
be found in
http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
If I find the time and get some results I will of course let you know.
Kind regards
Christian
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
> > So my problem is that I cannot find out how
> > svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
> --
> C. Michael Pilato <cmpi...@collab.net>
> CollabNet <> www.collab.net <> Enterprise Cloud Development
is not nice but so far works for me. However, if I find some time I
would like to look into extending the mapping. Am I right, that SWIG is
used to generate the bindings and everything related to the binding can
be found in
http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
If I find the time and get some results I will of course let you know.
Kind regards
Christian
C. Michael Pilato
Apr 12, 2013, 9:25:08 AM4/12/13
to Christian Plewnia, Daniel Shahaf, us...@subversion.apache.org
On 04/12/2013 09:22 AM, Christian Plewnia wrote:
> Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
You are correct.
> Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
Daniel Shahaf
Apr 12, 2013, 9:27:00 AM4/12/13
to Christian Plewnia, C. Michael Pilato, us...@subversion.apache.org
Christian Plewnia wrote on Fri, Apr 12, 2013 at 15:22:52 +0200:
> For a start I will let Ruby execute the SVN commands on the shell, which
> is not nice but so far works for me. However, if I find some time I
> would like to look into extending the mapping. Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
>
> If I find the time and get some results I will of course let you know.
If you have any questions about implementing the change, feel free to
> For a start I will let Ruby execute the SVN commands on the shell, which
> is not nice but so far works for me. However, if I find some time I
> would like to look into extending the mapping. Am I right, that SWIG is
> used to generate the bindings and everything related to the binding can
> be found in
> http://svn.apache.org/repos/asf/subversion/trunk/subversion/bindings/swig/?
>
> If I find the time and get some results I will of course let you know.
ask on #svn-dev (on Freenode) or on the dev@ list. The list is probably
better in this case since we don't have many swig/rb experts.
Daniel
C. Michael Pilato
Apr 12, 2013, 11:01:11 AM4/12/13
to Christian Plewnia, Daniel Shahaf, us...@subversion.apache.org
On 04/12/2013 08:31 AM, C. Michael Pilato wrote:
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
>> So my problem is that I cannot find out how
>> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
Huh. Turned out not to be that difficult. (Translation: "I'm an idiot and
> On 04/12/2013 05:41 AM, Christian Plewnia wrote:
>> So my problem is that I cannot find out how
>> svn_cmdline_create_auth_baton() is mapped in the Ruby binding.
>
> It's not mapped. I wish it was, and may spend some time on that soon,
> because I need that function for the Python bindings.
should have done this yeeeeeeeears ago.")
http://svn.apache.org/r1467302
I tested this with Python only, but I have no reason to believe that it
won't work with Ruby and Perl, too. (Please do test it, though, if you can!)
Joe Swatosh
Apr 13, 2013, 12:02:57 PM4/13/13
to Daniel Shahaf, Christian Plewnia, C. Michael Pilato, us...@subversion.apache.org
bindings, so if you have improvements please submit patches (bug
fixes, docs, improved test coverage, updating existing methods to use
non-deprecated APIs, all welcome) to the dev list.
--
Joe
Reply all
Reply to author
Forward
0 new messages