RE: svn: PROPFIND of Server certificate verification failed: issuer is not trusted
I found a solution/workaround:
- Searched the whole filesystem for the svn certificate. Found lots of them
and deleted them all.
- Did the following trick again:
svn list https://giews.svn.sourceforge.net/svnroot/giews/gw_giews/trunk
SVN is asking again to store permananly the certificate.
- continuum works fine.
The problem started when SVN at Sourceforge renewed their certificates.
Somehow continuum is keeping track of the old one, I did not investigate
exactly. Therefore I will have to repeat this workaround when SourceForge
will renew the certificate.
Anyhow I wanted to let you know this solution/workaround.
Kind Regards,
Erik
-Original Message-
From: Emmanuel Venisse [mailto:[EMAIL PROTECTED]
Sent: 19 October 2007 15:01
To: continuum-users@maven.apache.org
Subject: Re: svn: PROPFIND of Server certificate verification failed: issuer
is not trusted
Look in your ${user.home}/.subversion/auth/svn.ssl.server/ directory if your
certificate is correctly stored.
Emmanuel
VanIngen, Erik (ESTG) a écrit :
> All,
>
> We are using apache-continuum-1.1-beta-3 on W2000 and are still facing
> this
> error:
>
> svn: PROPFIND request failed on
> '/svnroot/giews/gw_giews/trunk/fenix-4domain'
> svn: PROPFIND of '/svnroot/giews/gw_giews/trunk/fenix-4domain':
> Server certificate verification failed: issuer is not trusted
>
> I already did this trick:
> svn list
> https://giews.svn.sourceforge.net/svnroot/giews/gw_giews/trunk
> and accepted the certificate permanently which is the same as the
> continuum user.
>
> What could I do more?
>
> Kind Regards,
> Erik
>
>
Re: server certificate verification failed
See comments inline... "Graham Leggett" <[EMAIL PROTECTED]> wrote on 15/10/2007 13:40:36: > On Mon, October 15, 2007 1:51 pm, Ashley Williams wrote: > > > I would expect that if I have taken the decision to connect to a > > repository for development then it would go without saying that I also > > trust that site. > > You are missing the point behind SSL. Quite possibly! Although I would have thought the issue of whether or not I trust a particular site is different from whether my continuum installation is connecting me to the site I think it should be. So can you give guidance as to what my action should be? Each developer has just been hitting the 'accept permanently' button in subclipse in their own workspaces. So should we be thoroughly investigating the proposed certificate before doing this, since a glance at the certificate hostname field looks fine to me ( *.ibitdev.com). Continuum is in a dmz and has not been reconfigured since the last build, so I am fairly certain it is connecting to the correct url. > > Obviously you trust the site, you put it there, but how does your > continuum know that the site it is connecting to is the site you trust? > Diverting continuum to connect to something else is not very difficult to > do at all by a third party device on the same LAN (even a switched LAN), > it is not difficult to fool your subversion client to try and log into a > fake repository using the correct credentials. Having done this, the > attacker has a known working username and password for your repo, and > depending on how you set it up, they could either steal code or alter code > to their advantage. > > (Luckily as you run svn over https, you are not open to the risk of a > disgruntled employee deleting the files behind your CVS repo, as happened > at a friend's company a few weeks ago causing much angst and grief). > > Regards, > Graham > -- > > --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: server certificate verification failed
On Mon, October 15, 2007 1:51 pm, Ashley Williams wrote: > I would expect that if I have taken the decision to connect to a > repository for development then it would go without saying that I also > trust that site. You are missing the point behind SSL. Obviously you trust the site, you put it there, but how does your continuum know that the site it is connecting to is the site you trust? Diverting continuum to connect to something else is not very difficult to do at all by a third party device on the same LAN (even a switched LAN), it is not difficult to fool your subversion client to try and log into a fake repository using the correct credentials. Having done this, the attacker has a known working username and password for your repo, and depending on how you set it up, they could either steal code or alter code to their advantage. (Luckily as you run svn over https, you are not open to the risk of a disgruntled employee deleting the files behind your CVS repo, as happened at a friend's company a few weeks ago causing much angst and grief). Regards, Graham --
Re: server certificate verification failed
I would expect that if I have taken the decision to connect to a repository for development then it would go without saying that I also trust that site. I'm not suggesting also that continuum auto-trusts out of the box, but rather as a configurable property and maybe against certain certificates. However I take your point that this is a subversion config issue - looks like I'll be browsing the redbook for the next half an hour ;) Thanks - Ashley "Graham Leggett" <[EMAIL PROTECTED]> wrote on 15/10/2007 10:37:38: > On Mon, October 15, 2007 10:57 am, Ashley Williams wrote: > > > Ok I can do this. I was hoping that since continuum is responsible for > > calling out to subversion, it could automatically accept on my behalf. > > After all I've already told continuum of my user name and password for the > > repository url so it should have everything it needs to do this. > > The trouble with this is that by doing this, you are removing most of the > protection the SSL certificate is offering you. > > Subversion can be configured to trust a root CA certificate(s), which will > mean in theory that subversion will always trust any new certs it finds, > on condition those certs are signed by a trusted root CA. This should make > your problem go away. > > Regards, > Graham > -- > > --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: server certificate verification failed
On Mon, October 15, 2007 10:57 am, Ashley Williams wrote: > Ok I can do this. I was hoping that since continuum is responsible for > calling out to subversion, it could automatically accept on my behalf. > After all I've already told continuum of my user name and password for the > repository url so it should have everything it needs to do this. The trouble with this is that by doing this, you are removing most of the protection the SSL certificate is offering you. Subversion can be configured to trust a root CA certificate(s), which will mean in theory that subversion will always trust any new certs it finds, on condition those certs are signed by a trusted root CA. This should make your problem go away. Regards, Graham --
Re: server certificate verification failed
Ok I can do this. I was hoping that since continuum is responsible for calling out to subversion, it could automatically accept on my behalf. After all I've already told continuum of my user name and password for the repository url so it should have everything it needs to do this. Many thanks - Ashley Emmanuel Venisse <[EMAIL PROTECTED]> wrote on 15/10/2007 09:39:06: > Continuum can't accept it automatically because it's svn that must accept it. > On your continuum server, run svn with the user that run continuum > to accept permanently the certificate. > > Emmanuel > > Ashley Williams a écrit : > > Hi, > > > > After a couple of weeks of successful builds, we are suddenly getting the > > following error in continuum 1.0.3: > > > > svn: PROPFIND of '/svn/ges-abfo/trunk': Server certificate verification > > failed: issuer is not trusted (https://ges-abfo.ibitdev.com) > > > > Has anyone seen anything like this before? One guess is that the ssl > > certificate has somehow changed and if so, is there some way to get > > continuum to auto-accept this? > > > > Thanks > > - Ashley > > > > --- > > > > This e-mail may contain confidential and/or privileged > information. If you are not the intended recipient (or have received > this e-mail in error) please notify the sender immediately and > delete this e-mail. Any unauthorized copying, disclosure or > distribution of the material in this e-mail is strictly forbidden. > > > > Please refer to http://www.db.com/en/content/eu_disclosures.htm > for additional EU corporate and regulatory disclosures. > --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: server certificate verification failed
Continuum can't accept it automatically because it's svn that must accept it. On your continuum server, run svn with the user that run continuum to accept permanently the certificate. Emmanuel Ashley Williams a écrit : Hi, After a couple of weeks of successful builds, we are suddenly getting the following error in continuum 1.0.3: svn: PROPFIND of '/svn/ges-abfo/trunk': Server certificate verification failed: issuer is not trusted (https://ges-abfo.ibitdev.com) Has anyone seen anything like this before? One guess is that the ssl certificate has somehow changed and if so, is there some way to get continuum to auto-accept this? Thanks - Ashley --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
server certificate verification failed
Hi, After a couple of weeks of successful builds, we are suddenly getting the following error in continuum 1.0.3: svn: PROPFIND of '/svn/ges-abfo/trunk': Server certificate verification failed: issuer is not trusted (https://ges-abfo.ibitdev.com) Has anyone seen anything like this before? One guess is that the ssl certificate has somehow changed and if so, is there some way to get continuum to auto-accept this? Thanks - Ashley --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: The svn command failed ... Server certificate verification failed: issuer is not trusted
On 10/14/07, Bill Brown <[EMAIL PROTECTED]> wrote: > This issue still exists for me. I run continuum with the user I created > "continuum" . I am able to check out code with the continuum user from the > command line. I have already manually accepted the certificate verification > permenantly from the command line as the continuum user. After all of > this, the build fails with the same error message as the original post. > Does anyone else have another suggestion? Am I the only user experiencing > this issue? It's a legitimate issue, but accepting the certificate should have fixed it. Most likely, Continuum is not running in exactly the same environment that you get when you log in. How are you starting Continuum? -- Wendy
Re: The svn command failed ... Server certificate verification failed: issuer is not trusted
Greetings: This issue still exists for me. I run continuum with the user I created "continuum" . I am able to check out code with the continuum user from the command line. I have already manually accepted the certificate verification permenantly from the command line as the continuum user. After all of this, the build fails with the same error message as the original post. Does anyone else have another suggestion? Am I the only user experiencing this issue? Thanks. Bill. Bill Brown wrote: > > Greetings: > > I am trying to use continuum-1.1-beta-3 with jdk java-6-sun-1.6.0.03 on > Ubuntu Linux. > > After adding a maven2 pom, I get the following error when trying to build: > > Provider message: The svn command failed. > Command output: > --- > svn: PROPFIND request failed on '/repo/project/trunk' > svn: PROPFIND of '/repo/project/trunk': Server certificate verification > failed: issuer is not trusted (https://localhost) > > I run the continuum server with a user named continuum. > > I can manually run (as the continuum user) from the command line: 'svn > list https://localhost/repo/project/trunk' and get a listing of the > contents of the project/trunk. The first time I ran this I was prompted > to permenantly accept the certificate which I did. > > I have a copy of the cert in the continuum users home directory .keystore > file. > > Am I missing some other command to run to get continuum to recognize the > https://localhost certificate? > > Thanks for your help. > Bill. > > -- View this message in context: http://www.nabble.com/The-svn-command-failed-...-Server-certificate-verification-failed%3A-issuer-is-not-trusted-tf4611163.html#a13205415 Sent from the Continuum - Users mailing list archive at Nabble.com.
Re: The svn command failed ... Server certificate verification failed: issuer is not trusted
On 10/13/07, Bill Brown <[EMAIL PROTECTED]> wrote: > > Greetings: > > here is a clip from the logs: > > 85479675 [defaultScheduler_Worker-13] INFO > org.apache.maven.continuum.build.set > tings.SchedulesActivator:default - >>>>>>>>>>>>>>>>>>>>> Executing build > job (D > EFAULT_SCHEDULE)... > 85479720 [defaultScheduler_Worker-13] INFO > org.apache.maven.continuum.Continuum > :default - Enqueuing 'emap' (Build definition id=7). > 85479726 [pool-1-thread-1] INFO > org.apache.maven.continuum.buildcontroller.Buil > dController:default - Initializing build > 85479742 [pool-1-thread-1] INFO > org.apache.maven.continuum.buildcontroller.Buil > dController:default - Starting build of emap > 85479807 [pool-1-thread-1] INFO > org.apache.maven.continuum.buildcontroller.Buil > dController:default - Updating working dir > 85479808 [pool-1-thread-1] INFO > org.apache.maven.continuum.buildcontroller.Buil > dController:default - Performing action check-working-directory > 85479814 [pool-1-thread-1] INFO > org.apache.maven.continuum.buildcontroller.Buil > dController:default - Performing action checkout-project > 85479820 [pool-1-thread-1] INFO > org.apache.maven.continuum.scm.ContinuumScm:def > ault - Checking out project: 'emap', id: '7' to > '/opt/continuum-1.1-beta-3/apps > /continuum/webapp/WEB-INF/working-directory/7'. > 85479896 [pool-1-thread-1] INFO > org.apache.maven.scm.manager.ScmManager:default > - Executing: /bin/sh -c "cd > /opt/continuum-1.1-beta-3/apps/continuum/webapp/WE > B-INF/working-directory && svn --username continuum --non-interactive > checkout h > ttps://localhost/repo/emap/trunk 7" > 85479898 [pool-1-thread-1] INFO > org.apache.maven.scm.manager.ScmManager:default > - Working directory: > /opt/continuum-1.1-beta-3/apps/continuum/webapp/WEB-INF/w > orking-directory > 85480114 [pool-1-thread-1] WARN > org.apache.maven.continuum.scm.ContinuumScm:def > ault - Error while checking out the code for project: 'emap', id: '7' to > '/opt/ > continuum-1.1-beta-3/apps/continuum/webapp/WEB-INF/working-directory/7'. > 85480114 [pool-1-thread-1] WARN > org.apache.maven.continuum.scm.ContinuumScm:def > ault - Command output: svn: PROPFIND request failed on '/repo/emap/trunk' > svn: PROPFIND of '/repo/emap/trunk': Server certificate verification failed: > iss > uer is not trusted (https://localhost) Try to run svn checkout https://localhost/repo/emap/trunk using command line and manually accept certificate (svn will ask you for confirmation). Then svn running under continuum will know that given certificate is trusted for you. You need to do this using the same account that you're using to run continuum. HTH, Tomek
Re: The svn command failed ... Server certificate verification failed: issuer is not trusted
Greetings: here is a clip from the logs: 85479675 [defaultScheduler_Worker-13] INFO org.apache.maven.continuum.build.set tings.SchedulesActivator:default - >>>>>>>>>>>>>>>>>>>>> Executing build job (D EFAULT_SCHEDULE)... 85479720 [defaultScheduler_Worker-13] INFO org.apache.maven.continuum.Continuum :default - Enqueuing 'emap' (Build definition id=7). 85479726 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Initializing build 85479742 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Starting build of emap 85479807 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Updating working dir 85479808 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Performing action check-working-directory 85479814 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Performing action checkout-project 85479820 [pool-1-thread-1] INFO org.apache.maven.continuum.scm.ContinuumScm:def ault - Checking out project: 'emap', id: '7' to '/opt/continuum-1.1-beta-3/apps /continuum/webapp/WEB-INF/working-directory/7'. 85479896 [pool-1-thread-1] INFO org.apache.maven.scm.manager.ScmManager:default - Executing: /bin/sh -c "cd /opt/continuum-1.1-beta-3/apps/continuum/webapp/WE B-INF/working-directory && svn --username continuum --non-interactive checkout h ttps://localhost/repo/emap/trunk 7" 85479898 [pool-1-thread-1] INFO org.apache.maven.scm.manager.ScmManager:default - Working directory: /opt/continuum-1.1-beta-3/apps/continuum/webapp/WEB-INF/w orking-directory 85480114 [pool-1-thread-1] WARN org.apache.maven.continuum.scm.ContinuumScm:def ault - Error while checking out the code for project: 'emap', id: '7' to '/opt/ continuum-1.1-beta-3/apps/continuum/webapp/WEB-INF/working-directory/7'. 85480114 [pool-1-thread-1] WARN org.apache.maven.continuum.scm.ContinuumScm:def ault - Command output: svn: PROPFIND request failed on '/repo/emap/trunk' svn: PROPFIND of '/repo/emap/trunk': Server certificate verification failed: iss uer is not trusted (https://localhost) 85480114 [pool-1-thread-1] WARN org.apache.maven.continuum.scm.ContinuumScm:def ault - Provider message: The svn command failed. 85480184 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Merging SCM results 85480232 [pool-1-thread-1] INFO org.apache.maven.continuum.buildcontroller.Buil dController:default - Error updating from SCM, not building I can tell I am running as the continuum user by invoking: [EMAIL PROTECTED]:~$ ps -u continuum PID TTY TIME CMD 12119 ?00:00:35 wrapper 12121 ?00:08:57 java Let me know if I can send along anything else. Thanks for your help. Bill. Emmanuel Venisse wrote: > > can you paste your continuum logs too? > > Are you sure you run continuum with the continuum user because this svn > output is generally printed when the certificate isn't registered in the > svn registry. > > Emmanuel > > Bill Brown a écrit : >> Greetings: >> >> I am trying to use continuum-1.1-beta-3 with jdk java-6-sun-1.6.0.03 on >> Ubuntu Linux. >> >> After adding a maven2 pom, I get the following error when trying to >> build: >> >> Provider message: The svn command failed. >> Command output: >> --- >> svn: PROPFIND request failed on '/repo/project/trunk' >> svn: PROPFIND of '/repo/project/trunk': Server certificate verification >> failed: issuer is not trusted (https://localhost) >> >> I run the continuum server with a user named continuum. >> >> I can manually run (as the continuum user) from the command line: 'svn >> list >> https://localhost/repo/project/trunk' and get a listing of the contents >> of >> the project/trunk. The first time I ran this I was prompted to >> permenantly >> accept the certificate which I did. >> >> I have a copy of the cert in the continuum users home directory .keystore >> file. >> >> Am I missing some other command to run to get continuum to recognize the >> https://localhost certificate? >> >> Thanks for your help. >> Bill. >> > > > -- View this message in context: http://www.nabble.com/The-svn-command-failed-...-Server-certificate-verification-failed%3A-issuer-is-not-trusted-tf4611163.html#a13185702 Sent from the Continuum - Users mailing list archive at Nabble.com.
Re: The svn command failed ... Server certificate verification failed: issuer is not trusted
can you paste your continuum logs too? Are you sure you run continuum with the continuum user because this svn output is generally printed when the certificate isn't registered in the svn registry. Emmanuel Bill Brown a écrit : Greetings: I am trying to use continuum-1.1-beta-3 with jdk java-6-sun-1.6.0.03 on Ubuntu Linux. After adding a maven2 pom, I get the following error when trying to build: Provider message: The svn command failed. Command output: --- svn: PROPFIND request failed on '/repo/project/trunk' svn: PROPFIND of '/repo/project/trunk': Server certificate verification failed: issuer is not trusted (https://localhost) I run the continuum server with a user named continuum. I can manually run (as the continuum user) from the command line: 'svn list https://localhost/repo/project/trunk' and get a listing of the contents of the project/trunk. The first time I ran this I was prompted to permenantly accept the certificate which I did. I have a copy of the cert in the continuum users home directory .keystore file. Am I missing some other command to run to get continuum to recognize the https://localhost certificate? Thanks for your help. Bill.
