TortoiseSVN missing CA Certificate

143 views
Skip to first unread message

Matthew Trescott

unread,
Sep 30, 2021, 11:52:54 AM9/30/21
to TortoiseSVN-dev
Hello TortoiseSVN developers,

I host a small SVN server for my university project team and have a Let's Encrypt TLS certificate. Today we started getting this error:

C:\Users\mtrescott\Documents\formulasae>svn up
Updating '.':
Error validating server certificate for 'https://fsae-demo.trescott.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: trescott.net
 - Valid: from Aug  4 05:36:20 2021 GMT until Nov  2 05:36:18 2021 GMT
 - Issuer: R3, Let's Encrypt, US
 - Fingerprint: 07:D0:B7:05:56:E1:76:29:BC:30:82:10:22:DF:29:4B:5F:5B:6A:6D
(R)eject, accept (t)emporarily or accept (p)ermanently? t

I believe the problem is caused by Tortoise not including the ISRG Root X1 CA certificate. Let's Encrypt has an article about this. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

It's not too inconvenient because we can just manually trust the certificate, but it would be helpful to have this CA certificate included, since we'd have a permanent fix then.

Best regards,
Matt

Daniel Sahlberg

unread,
Sep 30, 2021, 12:14:26 PM9/30/21
to TortoiseSVN-dev
What version of TortoiseSVN are you using and what version of Windows?

I also have a Let's Encrypt certificate and I don't get the same warning.

Kind regards
Daniel Sahlberg

Matthew Trescott

unread,
Sep 30, 2021, 12:21:40 PM9/30/21
to TortoiseSVN-dev
Hi Daniel,

On Thu, Sep 30, 2021 at 12:14 PM Daniel Sahlberg via TortoiseSVN-dev <tortois...@googlegroups.com> wrote:
What version of TortoiseSVN are you using and what version of Windows?

I also have a Let's Encrypt certificate and I don't get the same warning.
 
This is TortoiseSVN 1.14.1 on Windows 10 20H2 (x64). Firefox and even Internet Explorer work (I can browse the repository on the web with the pages that mod_dav_svn generates).

Best regards,
Matt

Thomas Åkesson

unread,
Sep 30, 2021, 1:02:35 PM9/30/21
to TortoiseSVN-dev
Hi,

We are recently getting various reports from our users after upgrade to 20H2. 

We have both TortoiseSVN users and another component using SVNKit. I have no conclusions yet regarding the CAPI interface but there are also issue related to Wincrypt APIs. 

I am not entirely sure if TortoiseSVN is using CAPI APIs for the trust store (but it is used if you have a client cert in the Windows-MY storage). I suspect Tortoise will fall back to its internal trust store (let’s encrypt missing) if the attempt to query the OS APIs fail on 20H2.  

Regards,
/Thomas Å.

On 30 Sep 2021, at 18:21, TortoiseSVN-dev <tortois...@googlegroups.com> wrote:


--
You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/CAGUBAKXRz7AJzB1g7V6S6ZHZ4O26zOpuiH4rQeZTuvg3FtexAQ%40mail.gmail.com.

Thomas Åkesson

unread,
Sep 30, 2021, 2:54:31 PM9/30/21
to TortoiseSVN-dev
To clarify, the TortoiseSVN use of Wincrypt seems ok but we have reports of failures from SVNKit / Java on 20H2.

Regards,
Thomas Å.



On 30 Sep 2021, at 19:02, TortoiseSVN-dev <tortois...@googlegroups.com> wrote:

Hi,

We are recently getting various reports from our users after upgrade to 20H2. 

We have both TortoiseSVN users and another component using SVNKit. I have no conclusions yet regarding the CAPI interface but there are also issue related to Wincrypt APIs. 

I am not entirely sure if TortoiseSVN is using CAPI APIs for the trust store (but it is used if you have a client cert in the Windows-MY storage). I suspect Tortoise will fall back to its internal trust store (let’s encrypt missing) if the attempt to query the OS APIs fail on 20H2.  

Regards,
/Thomas Å.

On 30 Sep 2021, at 18:21, TortoiseSVN-dev <tortois...@googlegroups.com> wrote:


Hi Daniel,

On Thu, Sep 30, 2021 at 12:14 PM Daniel Sahlberg via TortoiseSVN-dev <tortois...@googlegroups.com> wrote:
What version of TortoiseSVN are you using and what version of Windows?

I also have a Let's Encrypt certificate and I don't get the same warning.
 
This is TortoiseSVN 1.14.1 on Windows 10 20H2 (x64). Firefox and even Internet Explorer work (I can browse the repository on the web with the pages that mod_dav_svn generates).

Best regards,
Matt

--
You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn-dev/CAGUBAKXRz7AJzB1g7V6S6ZHZ4O26zOpuiH4rQeZTuvg3FtexAQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "TortoiseSVN-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tortoisesvn-d...@googlegroups.com.

Daniel Sahlberg

unread,
Oct 2, 2021, 7:02:44 AM10/2/21
to TortoiseSVN-dev
Hi,

The same question has been asked in the TortoiseSVN group (see https://groups.google.com/g/tortoisesvn/c/cVUXqh8VMh0)

I have answered in detail there and I suggest to continue the discussion there if related to solving the current incident. In short: The server is providing two different certificate chains and the client is looking at the wrong one (which is expired). After a restart the server is only serving the non-expired chain and the clients accept the connection.

Thomas & Matthew, any chance you can check the chains provided from your servers and possibly do a reboot and report back if this solves the problem?

Any followup discussion related to how/why TortoiseSVN is looking at the wrong certificate chain should of course stay in this group.

Kind regards
Daniel
Reply all
Reply to author
Forward
0 new messages