Accepting a certificate with errors permanently
dasony
I have a https subversion server that has an expired and untrusted
certificate, and for the time being, I have no way to fix it. I'd like
to my subversion client to ignore the errors and accept it. Usually in
a case like this, there was an option for accepting a certificate
permanently, but it's not there this time.
Error validating server certificate for 'https://sc.snu.ac.kr:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate has expired.
- The certificate has an unknown error.
Certificate information:
- Hostname: [deleted]
- Valid: from Thu, 11 Sep 2008 01:32:15 GMT until Fri, 11 Sep 2009
01:32:15 GMT
- Issuer: [deleted]
- Fingerprint: [deleted]
(R)eject or accept (t)emporarily? t
Is there anyway to make it offer that option, or for me to manually
add it to the trusted list? I think I should add something to
~/.subversion/auth/svn.ssl.server/, but I am yet to find any document
about this.
I am using svn, version 1.6.6 (r40053) on Ubuntu Lucid.
Thanks in advance.
Daniel Shahaf
> Hello,
>
> I have a https subversion server that has an expired and untrusted
> certificate, and for the time being, I have no way to fix it. I'd like
> to my subversion client to ignore the errors and accept it. Usually in
> a case like this, there was an option for accepting a certificate
> permanently, but it's not there this time.
>
> Error validating server certificate for 'https://sc.snu.ac.kr:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> - The certificate has expired.
> - The certificate has an unknown error.
> Certificate information:
> - Hostname: [deleted]
> - Valid: from Thu, 11 Sep 2008 01:32:15 GMT until Fri, 11 Sep 2009
> 01:32:15 GMT
> - Issuer: [deleted]
> - Fingerprint: [deleted]
It's pretty pointless to say [deleted] here since you didn't delete the
URL in the first line of the error message.
> (R)eject or accept (t)emporarily? t
>
> Is there anyway to make it offer that option,
It will not offer "(p)ermanently" when an "unknown error" is reported.
> or for me to manually add it to the trusted list? I think I should add
> something to ~/.subversion/auth/svn.ssl.server/, but I am yet to find
> any document about this.
>
I am not sure this will work. And I strongly recommend that you don't
do it unless you know *exactly* which certificate you are permitting
(that warning message is there for a reason).
>
Still here? Okay. Let's see an example:
[[[
% cat ~/.subversion/auth/svn.ssl.simple/f54456629587b37334a88e776b1ceb0c
K 10
ascii_cert
V 1664
MII<<<...1658 more characters...>>>80=
K 8
failures
V 1
4
K 15
svn:realmstring
V 33
https://svn-master.apache.org:443
END
]]]
That's a serialized hash. The numbers after K and V are the number of
characters in the following line. The big base64'd value for
"ascii_cert" is the certificate itself.
The paranoid approach is to get the certificate from the server
administrators directly. The non-paranoid approach is to grab the
certificate presented by the server and save it. The third approach
is to make Subversion offer the '(p)ermanently' option anyway (this
requires a source-code patch).