Geek Answers Handbook

Subversion Server Certificate Certificate Validation Failure: and Other Causes (Causes)

I had an SVN system and worked fine, and after a recent update it suddenly stopped working. My setup:

  • I have a repository hosted on a Windows 2008 server using VisualSVN Server 2.7.4. The server offers me the opportunity to generate self-signed certificates as I wish, by entering my own hostname or other data as desired.

  • I use Eclipse (Kepler) for java coding both on the hosting and on my MacBookPro running Mac OS X 10.9.1 (Mavericks). I have a subtitle add-in for Eclipse that requires subversive work with java HL.

  • I installed macports and the latest subversion / javahl packages requested by subclipse. The Eclipse / subversion interface seems to be working fine, but there are bugs in the disruptive command line that Eclipse doesn't move well. Solving command line problems is a major issue.

  • I used to have the following versions installed via macports, and it seemed like everything was working fine:

    subversion @ 1.8.5_1 + universal
    subversion-javahlbindings @ 1.8.5_0 + no_bdb + universal

  • As part of the installation / troubleshooting, I updated all of my macports in which the following new versions were installed:

    subversion @ 1.8.8_0 + universal
    subversion-javahlbindings @ 1.8.8_0 + no_bdb + universal

  • After updating svn via eclipse on my mac fails. I can make it use the command line to temporarily accept the certificate. It still works fine on a Windows 2008 server machine.

The first time after changing the certificate, I get the opportunity to accept it on an ongoing basis, but after that it fails and returns to the second "temporary" dialog.

$ svn update Updating '.': Error validating server certificate for 'https://192.168.100.59:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information: - Hostname: 571458-tools1 - Valid: from Feb 28 23:57:35 2014 GMT until Feb 26 23:57:35 2024 GMT - Issuer: - Fingerprint: 55:3E:55:FD:4D:40:A4:1E:8A:1E:27:71:DD:D4:ED:8B:A3:9A:1D:EC (R)eject, accept (t)emporarily or accept (p)ermanently? p Error validating server certificate for 'https://192.168.100.59:443': - The certificate has an unknown error. Certificate information: - Hostname: 571458-tools1 - Valid: from Feb 28 23:57:35 2014 GMT until Feb 26 23:57:35 2024 GMT - Issuer: - Fingerprint: 55:3E:55:FD:4D:40:A4:1E:8A:1E:27:71:DD:D4:ED:8B:A3:9A:1D:EC (R)eject or accept (t)emporarily? t (credentials dialogue) At revision 46.
  • After that, future attempts still lead to an error and a requirement to temporarily accept:
 $ svn update Updating '.': Error validating server certificate for 'https://192.168.100.59:443': - The certificate hostname does not match. - The certificate has an unknown error. Certificate information: - Hostname: 571458-tools1 - Valid: from Feb 28 23:57:35 2014 GMT until Feb 26 23:57:35 2024 GMT - Issuer: - Fingerprint: 55:3E:55:FD:4D:40:A4:1E:8A:1E:27:71:DD:D4:ED:8B:A3:9A:1D:EC (R)eject or accept (t)emporarily? t At revision 46.

Several web searches, including this site and others, pointed to the authentication files in ~ / .subversion as potential problems, but all the proposed solutions (deleting, changing ownership and permissions, etc.) could not solve the problem.

Specific questions: 1. I can’t figure out how to return to the previous subversion (1.8.5) in macports to find out if there is an error in version 1.8.8 that I updated. 2. Assuming there is no error in 1.8.8, is there anything else I can do to potentially fix this problem and get my certificates permanently?

EDIT: - I was able to get rid of the "hostname" error by changing the self-written certificate host name to a numeric IP. However, all other symptoms remain, including the mysterious: "The certificate has an unknown error." - I am convinced (although the comments indicate otherwise) that the 1.8.8 update broke something in Mac OS X, and I am very interested in version rollbacks for troubleshooting. But I suppose a new question ...

+7
svn ssl-certificate
source share
3 answers

Oddly enough, there was literally a similar problem a day ago. Anyway, I could be wrong, but the obvious security level for SVN in 1.8.8 is tougher than previous versions. Which certificates that you forced svn to accept can no longer be "acceptable" by the new standards. I was wrong, but it does not matter.

If you look at the error you provided, you will see:

The host name of the certificate does not match.

This is an SSL error that svn will not ignore, it means that you are connecting to a different host name than what you indicated. The fact is that https://192.168.100.59:443 can refer to the same URL as your repository server, for example: https://foobar.com:443 SSL handshaking will not be performed if host names do not match.

This issue persists for any case where your hostname of the repository URL does not match the SVN server certificate response.

I assume that you are using a self-signed certificate through the VisualSVN certificate creation tool. To resolve, renew the new certificate and verify that the host name matches the name of your real host . This should solve your problems.

Please note: you will still receive this first dialog box warning you that you are using a certificate that is not verified / valid, but you should not get this second dialog box. In addition, make sure that the client and server versions of SVN are the same and that different versions of SVN are causing great chaos.

Edit:

Sorry, I read the error back, your certificate host name is apparently 571458-tools1 when it should be 192.168.100.59 if you want to access it. Follow the same certificate regeneration procedures, but use the host name 192.168.100.59 instead of 571458-tools1 .

Please note that this will enable SSL / TLS only when directly using the internal IP address.

+7
source share

I was able to figure out how to return to subversion 1.8.5 from this link:

trac.macports.org/wiki/howto/InstallingOlderPort

Returning to 1.8.5 resolved the problem. I will continue to further troubleshoot 1.8.8 related issues directly with subversive developers.

+1
source share

The certificate has an unknown error can be a certificate chain problem. I came across this after upgrading from Windows SVN 1.8.3 to 1.8.7. You can find this by running the following command: echo | openssl s_client -connect host:443 echo | openssl s_client -connect host:443

eg.

 Certificate chain 0 s:/[redacted]/ i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

The error here is that 1 entity does not correspond to 0 issuer. Correct the certificate chain on the server.

+1
source share

More articles:


All Articles