Project

General

Profile

Actions

Defect #24864

closed

svn.redmine.org: "The certificate is not issued by a trusted authority"

Added by Gwyll Gwyllin almost 8 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Low
Assignee:
-
Category:
Website (redmine.org)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Your certificate is expired.

Error validating server certificate for 'https://svn.redmine.org:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: svn.redmine.org
- Valid: from Jan 8 00:00:00 2017 GMT until Jan 8 23:59:59 2020 GMT
- Issuer: Gandi, Paris, Paris, FR
- Fingerprint: AB:F1:C8:B7:69:A6:99:BD:20:C1:59:A4:5F:60:9E:27:2D:81:82:B7


Files

firefox.png (66.8 KB) firefox.png Toshi MARUYAMA, 2017-01-18 17:04
svn-redmine-org.png (49.4 KB) svn-redmine-org.png Gwyll Gwyllin, 2017-01-18 17:55
gnutls-cli.txt (7.41 KB) gnutls-cli.txt Toshi MARUYAMA, 2017-01-18 20:14

Related issues

Related to Redmine - Defect #24509: SSL Certificate expired for svn.redmine.orgClosedJean-Philippe Lang

Actions
Related to Redmine - Defect #22281: http://redmine.org results in a 403 ForbiddenClosedJean-Philippe Lang

Actions
Actions #1

Updated by Gwyll Gwyllin almost 8 years ago

Sorry, not expired ... untrusted.

Actions #2

Updated by Toshi MARUYAMA almost 8 years ago

  • Status changed from New to Needs feedback

Really?
#24509

Actions #3

Updated by Gwyll Gwyllin almost 8 years ago

As I mentioned, not expired, untrusted.

So ... yes, really.

Actions #4

Updated by Toshi MARUYAMA almost 8 years ago

What is problem?

Actions #5

Updated by Gwyll Gwyllin almost 8 years ago

I included the error message in the description but if you prefer screenshots, see attached.

Actions #6

Updated by Toshi MARUYAMA almost 8 years ago

Do you mean "Gandi, Paris, Paris, FR" is untrusted?

Actions #7

Updated by Toshi MARUYAMA almost 8 years ago

  • File gnutls-cli.txt gnutls-cli.txt added
  • Subject changed from Upgrade svn.redmine.org's SSL Certificate to svn.redmine.org: "The certificate is not issued by a trusted authority"
  • Category changed from Security to Website (redmine.org)
  • Status changed from Needs feedback to New
  • Priority changed from High to Low
Actions #8

Updated by Toshi MARUYAMA almost 8 years ago

  • Related to Defect #24509: SSL Certificate expired for svn.redmine.org added
Actions #9

Updated by Toshi MARUYAMA almost 8 years ago

  • Related to Defect #22281: http://redmine.org results in a 403 Forbidden added
Actions #10

Updated by Holger Just over 7 years ago

The certificate itself is fine and valid. However, it appears that the server for https://svn.redmine.org does not send along the required intermediate certificates to allow clients to verify the full certificate chain as shown in Toshi's gnutls trace.

Some clients (like most current browsers) cache intermediate certificates they have already seen somewhere else (e.g. from a visit to https://www.redmine.org) . This allows them to still verify the certificate chain even if the actual server does not send the required certificates along.

SVN clients usually don't do this (and don't even "visit" other sites). Thus, they have no way to learn about the intermediate certificate chain which is required to verify the server certificate. The clients only have their internal list of trusted root certificates. The solution would be to configure the webserver at https://svn.redmine.org to also send the intermediate certificates along, similar to how it's done for the main website at https://www.redmine.org. I think that right now only Jean-Philippe is able to perform this change.

Actions #11

Updated by Andrey Galkin about 7 years ago

I've just run into the same problem.

Please use SSLCertificateChainFile or SSLCertificateFile depending on Apache version.

You can see the problem here: https://www.ssllabs.com/ssltest/analyze.html?d=svn.redmine.org
"Chain issues Incomplete"

Please also check: https://mozilla.github.io/server-side-tls/ssl-config-generator/
to get acceptable TLS configuration instead of current insecure one.

Actions #12

Updated by Seiei Miyagi over 5 years ago

Is there any progress?

I had a same issue.
https://github.com/agileware-jp/redmine-plugin-orb/pull/8#discussion_r291828335

I use following one-liner for now.

```
svn co --non-interactive --config-option servers:global:ssl-authority-files=<(curl -sL https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem) https://svn.redmine.org/redmine/trunk /tmp/redmine
```

the Gandi's intermediary certificates is listed here.
https://docs.gandi.net/en/ssl/documents/technical_documents.html

Actions #13

Updated by Holger Just 5 months ago

  • Status changed from New to Closed
  • Resolution set to Fixed

It seems that this was fixed.

svn.redmine.org currently sends an intermediate certificate which allows clients to build a certificate chains towards the "USERTrust RSA Certification Authority" which is usually included in trusted root certificate stores.

Actions

Also available in: Atom PDF