Defect #787
closed
Subversion: Handle failed certificate verification
0%
Description
When the server certificate of the webserver, serving a subversion repository over HTTPS cannot be verified, redmine just fails silently. The expected behaviour is to be prompted whether to accept the certificate anyway or to get the error message displayed at least.
This is the complete error message from the logfile:
Processing RepositoriesController#show (for 85.180.74.128 at 2008-03-04 15:04:14) [GET]
Session ID: fb94e477592f7e94e903cde5618a5a48
Parameters: {"action"=>"show", "id"=>"1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for ["lists", "list"]>
/usr/lib/ruby/1.8/rexml/parsers/treeparser.rb:26:in `parse'
/usr/lib/ruby/1.8/rexml/document.rb:190:in `build'
/usr/lib/ruby/1.8/rexml/document.rb:45:in `initialize'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `new'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `call'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `popen'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:70:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/models/repository.rb:42:in `entries'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `send'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `method_missing'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/controllers/repositories_controller.rb:54:in `show'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `perform_action_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:697:in `call_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:101:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:149:in `with_signal_handler'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:99:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:77:in `process_each_request'
/usr/lib/ruby/1.8/fcgi.rb:612:in `each_cgi'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each_cgi'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:76:in `process_each_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:50:in `process!'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:24:in `process!'
/home/dave/web/private.dfoerster.de/htdocs/redmine/dispatch.fcgi:24
...
No close tag for ["lists", "list"]
Line:
Position:
Last 80 unconsumed characters:
Output was:
Error validating server certificate for 'https://i72projekte.tm.uka.de:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: i72projekte.tm.uni-karlsruhe.de
- Valid: from Wed, 18 Apr 2007 07:56:45 GMT until Thu, 17 Apr 2008 07:56:45 GMT
- Issuer: Institut fuer Telematik, Universitaet Karlsruhe, Karlsruhe, DE
- Fingerprint: 1c:d8:74:f4:eb:f3:25:94:06:e2:9d:0e:93:02:2e:66:65:3c:14:ca
(R)eject, accept (t)emporarily or accept (p)ermanently? svn: PROPFIND request failed on '/svn-repositories/Projekte/KAI/trunk'
svn: PROPFIND of '/svn-repositories/Projekte/KAI/trunk': Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted (https://i72projekte.tm.uka.de)
<?xml version="1.0"?>
<lists>
<list
path="https://i72projekte.tm.uka.de/svn-repositories/Projekte/KAI/trunk">
Rendering template within layouts/base
Completed in 0.52444 (1 reqs/sec) | Rendering: 0.02560 (4%) | DB: 0.00000 (0%) | 200 OK [https://private.dfoerster.de/redmine/repositories/show/1]
Related issues
Updated by Pim Snel almost 17 years ago
cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.
Updated by Jean-Philippe Lang over 16 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
Updated by _ emesz _ about 15 years ago
Pim Snel wrote:
cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.
This solution works when Redmine was started using command
"ruby script/server webrick -e production"but if Redmine was installed as a windows service this solution doesn't work. I can list repository using cmd and typing
svn list --xml "https://my_svn_location"@HEADbut at my local redmine site I don't see the repository content.
This is the error message from the log file:
Processing RepositoriesController#show (for 127.0.0.1 at 2009-10-06 09:37:15) [GET]
Session ID: cc9b1b6dda5ca4c9ade6b232fc88620b
Parameters: {"action"=>"show", "id"=>"Proj1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list>
C:/Ruby/lib/ruby/1.8/rexml/parsers/treeparser.rb:28:in `parse'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:205:in `build'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:42:in `initialize'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `new'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `entries'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `call'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `popen'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:165:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:83:in `entries'
c:/Redmine/app/models/repository.rb:63:in `entries'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `send'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `method_missing'
c:/Redmine/app/controllers/repositories_controller.rb:71:in `show'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `perform_action_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:579:in `call_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:572:in `perform_action_without_benchmark'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/Ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/rescue.rb:201:in `perform_action_without_caching'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:13:in `perform_action'
c:/Redmine/vendor/rails/activerecord/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
c:/Redmine/vendor/rails/activerecord/lib/active_record/query_cache.rb:8:in `cache'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:12:in `perform_action'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `process_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:568:in `process_without_session_management_support'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/session_management.rb:130:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:389:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:149:in `handle_request'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:107:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `synchronize'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:120:in `dispatch_cgi'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:35:in `dispatch'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:76:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `synchronize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:159:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:282:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:128:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/command.rb:212:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:281
C:/Ruby/bin/mongrel_rails:19:in `load'
C:/Ruby/bin/mongrel_rails:19
...
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
<?xml version="1.0"?>
<lists>
<list
path="https://testpc:8443/svn/Proj1">
Rendering template within layouts/base
Rendering repositories/show
Completed in 1.70200 (0 reqs/sec) | Rendering: 0.03000 (1%) | DB: 0.00000 (0%) | 200 OK [http://localhost/repositories/show/Proj1]
Does somebody know what is wrong and how to fix this?
Updated by _ emesz _ about 15 years ago
Ok, I fixed this :)
I changed line 228 in subversion_adapter.rb
Original line was:
str << " --no-auth-cache --non-interactive"
Changed line looks like this:
str << " --no-auth-cache --trust-server-cert --non-interactive"
Updated by Vlad Gurovich about 15 years ago
_ emesz _ wrote:
Ok, I fixed this :)
I changed line 228 in subversion_adapter.rbOriginal line was:
[...]
Changed line looks like this:
[...]
unfortunately --trust-server-cert is only available in Subversion 1.6
Updated by Yar n almost 15 years ago
- Status changed from Closed to Reopened
so,
ho fix it? %)
--trust-server-cert doesn't work.
saved cert with svn command - and it doesn't work too.
Updated by Petr Losa almost 15 years ago
I have a same problem
... No close tag for /lists/list Line: Position: Last 80 unconsumed characters: Output was: <?xml version="1.0"?> <lists> <list path="https://subversion.losa.cz"> Rendering template within layouts/base
Updated by Rimas Kabašinskas over 14 years ago
had same problem here as above with svn 1.5.
solved like this:
edited the redmine/lib/redmine/scm/adapters/subversion_adapter.rb from:
#SVN executable name
SVN_BIN = "svn "to
SVN_BIN = "svn --config-dir /tmp/subversion_config "
don't forget to let access to to this dir to redmine user (i'm runing redmine as redmine user)
run this command to cache certificate data (replace xxx with your data):
su redmine -c 'svn list --config-dir /tmp/subversion_config --xml https://xxx/svn/xxx/trunk'
restarted redmine.
Updated by Petr Losa over 14 years ago
hmm, no change, still error:
No close tag for /lists/list Line: Position: Last 80 unconsumed characters: Output was: <?xml version="1.0"?> <lists> <list path="https://subversion.losa.cz/delphi/WifiLINK"> Rendering template within layouts/base
Updated by Everard Brown over 14 years ago
I am also having this problem:
redmine-0.9.3
subversion-1.6.9
Maybe this is a red herring but...
When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?
Updated by Everard Brown over 14 years ago
Everard Brown wrote:
I am also having this problem:
redmine-0.9.3
subversion-1.6.9Maybe this is a red herring but...
When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?
It was indeed a red-herring. I switched from mongrel back to WEBrick and it is working again now - if I find out what's up with my mongrel setup I'll report back.
Updated by Holger Just over 14 years ago
- Status changed from Reopened to Closed
Please open a thread in the forums to get help. The issue tracker is not suited for that.
Updated by zeerd emneg about 14 years ago
Any news for this?
Or it's moved to the forum already -- if so , what's the new url?
Meet the same issues , too .
Updated by Jose Mari M over 13 years ago
Caution, because if the ssl certified is expired the error is the same:
# su - redmice -c "svn list --config-dir /tmp/subversion_config --xml https://test.com/svn/project/trunk"...
Certificate information:
- Hostname: test.com
- Valid: from Jun 8 10:15:12 2010 GMT until Jun 8 10:15:12 2011 GMT
...
svn: OPTIONS of 'https://test.com/svn/project/trunk': Server certificate verification failed: certificate has expired, issuer is not trusted (https://test.com
Updated by Kos Huang over 13 years ago
Hi all,
I am confused in this issue for a long time and found a solution finally.
The following web page is the reference.
http://huawuya.blog.hexun.com/62094448_d.html
I did two steps to solve this problem.
1.execute following instruction to let your computer trust SVN Server.
svn ls --config-option config:auth:store-auth-creds=yes https://111.222.111.222:8443/svn/myproject
2. Modify [redmine]\lib\redmine\scm\adapters\subversion_adapter.rb line 265:
from
str << " --no-auth-cache --non-interactive"
to
str << " --no-auth-cache --non-interactive --config-dir \"C:/Documents and Settings/myaccount/Application Data/Subversion\""
for win7 :
to
"--no-auth-cache --non-interactive --config-dir C:/Users/CD-SVN/AppData/Roaming/Subversion"
then restart redmine and it worked!!
Hope it will work for your environment.
Updated by Mario Di Vece over 12 years ago
Just wanted to update everyone trying to get this to work: The solution provided by Kos Huang works. (I'm using version 2.0.3)
I tried everything until I bumped into this.
Thanks so much Kos!
Updated by Luc GIROUX over 11 years ago
Solution From Kos Huang worked for me too but with an exception:
I changed subversion_adapter.rb
from
str << " --no-auth-cache --non-interactive"
to
str << " --no-auth-cache --trust-server-cert --non-interactive"
Updated by Aleksandar Pavic about 8 years ago
I can confirm this issue in:
Environment: Redmine version 2.5.2.stable Ruby version 1.9.3-p551 (2014-11-13) [x86_64-linux] Rails version 3.2.19 Environment production Database adapter Mysql2 SCM: Subversion 1.8.8
With same dump in log file:
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list
The expected behavior would be to accept different server certificate.
In my case, certificate had expired, and I replaced it with Lets Encrypt certificate.
The ONLY solution that worked for me:
1. logged in as redmine user to server console (su - myredmineuser)
2. performed svn list https://myRedmineRepo
3. accepted certificate permanently
4. logged in back to my Redmine and clicked on repository - now working
Updated by Aleksandar Pavic about 8 years ago
Update, supposigly SVN 1.9 does have a new flag for this:
--trust-server-cert : deprecated; same as --trust-server-cert-failures=unknown-ca
--trust-server-cert-failures ARG : with --non-interactive, accept SSL server
certificates with failures; ARG is comma-separated
list of 'unknown-ca' (Unknown Authority),
'cn-mismatch' (Hostname mismatch), 'expired'
(Expired certificate), 'not-yet-valid' (Not yet
valid certificate) and 'other' (all other not
separately classified certificate errors).
So in my case, change in svn_adapter.rb should be:
str << " --no-auth-cache --trust-server-cert-failures=cn-mismatch --non-interactive"