Defect #787

Subversion: Handle failed certificate verification

Added by David Förster over 13 years ago. Updated about 5 years ago.

Status:ClosedStart date:2008-03-04
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SCM
Target version:-
Resolution:Wont fix Affected version:

Description

When the server certificate of the webserver, serving a subversion repository over HTTPS cannot be verified, redmine just fails silently. The expected behaviour is to be prompted whether to accept the certificate anyway or to get the error message displayed at least.

This is the complete error message from the logfile:

Processing RepositoriesController#show (for 85.180.74.128 at 2008-03-04 15:04:14) [GET]
  Session ID: fb94e477592f7e94e903cde5618a5a48
  Parameters: {"action"=>"show", "id"=>"1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for ["lists", "list"]>
/usr/lib/ruby/1.8/rexml/parsers/treeparser.rb:26:in `parse'
/usr/lib/ruby/1.8/rexml/document.rb:190:in `build'
/usr/lib/ruby/1.8/rexml/document.rb:45:in `initialize'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `new'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `call'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `popen'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:70:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/models/repository.rb:42:in `entries'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `send'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `method_missing'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/controllers/repositories_controller.rb:54:in `show'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `perform_action_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:697:in `call_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:101:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:149:in `with_signal_handler'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:99:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:77:in `process_each_request'
/usr/lib/ruby/1.8/fcgi.rb:612:in `each_cgi'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each_cgi'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:76:in `process_each_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:50:in `process!'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:24:in `process!'
/home/dave/web/private.dfoerster.de/htdocs/redmine/dispatch.fcgi:24
...
No close tag for ["lists", "list"]
Line:
Position:
Last 80 unconsumed characters:
Output was:
 Error validating server certificate for 'https://i72projekte.tm.uka.de:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate hostname does not match.
Certificate information:
 - Hostname: i72projekte.tm.uni-karlsruhe.de
 - Valid: from Wed, 18 Apr 2007 07:56:45 GMT until Thu, 17 Apr 2008 07:56:45 GMT
 - Issuer: Institut fuer Telematik, Universitaet Karlsruhe, Karlsruhe, DE
 - Fingerprint: 1c:d8:74:f4:eb:f3:25:94:06:e2:9d:0e:93:02:2e:66:65:3c:14:ca
(R)eject, accept (t)emporarily or accept (p)ermanently? svn: PROPFIND request failed on '/svn-repositories/Projekte/KAI/trunk'
svn: PROPFIND of '/svn-repositories/Projekte/KAI/trunk': Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted (https://i72projekte.tm.uka.de)
<?xml version="1.0"?>
<lists>
<list
   path="https://i72projekte.tm.uka.de/svn-repositories/Projekte/KAI/trunk">
Rendering template within layouts/base
Completed in 0.52444 (1 reqs/sec) | Rendering: 0.02560 (4%) | DB: 0.00000 (0%) | 200 OK [https://private.dfoerster.de/redmine/repositories/show/1]

Related issues

Duplicated by Redmine - Defect #1181: Connection to HTTPS subversion repository fails Closed 2008-05-06
Duplicated by Redmine - Defect #12467: subversion no longer works after upgrade Closed

History

#1 Updated by Pim Snel over 13 years ago

cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.

#2 Updated by Jean-Philippe Lang over 13 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

See #1235 and the FAQ.

#3 Updated by _ emesz _ about 12 years ago

Pim Snel wrote:

cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.

This solution works when Redmine was started using command

"ruby script/server webrick -e production" 
but if Redmine was installed as a windows service this solution doesn't work. I can list repository using cmd and typing
svn list --xml "https://my_svn_location"@HEAD
but at my local redmine site I don't see the repository content.

This is the error message from the log file:

Processing RepositoriesController#show (for 127.0.0.1 at 2009-10-06 09:37:15) [GET]
  Session ID: cc9b1b6dda5ca4c9ade6b232fc88620b
  Parameters: {"action"=>"show", "id"=>"Proj1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list>
C:/Ruby/lib/ruby/1.8/rexml/parsers/treeparser.rb:28:in `parse'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:205:in `build'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:42:in `initialize'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `new'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `entries'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `call'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `popen'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:165:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:83:in `entries'
c:/Redmine/app/models/repository.rb:63:in `entries'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `send'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `method_missing'
c:/Redmine/app/controllers/repositories_controller.rb:71:in `show'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `perform_action_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:579:in `call_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:572:in `perform_action_without_benchmark'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/Ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/rescue.rb:201:in `perform_action_without_caching'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:13:in `perform_action'
c:/Redmine/vendor/rails/activerecord/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
c:/Redmine/vendor/rails/activerecord/lib/active_record/query_cache.rb:8:in `cache'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:12:in `perform_action'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `process_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:568:in `process_without_session_management_support'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/session_management.rb:130:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:389:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:149:in `handle_request'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:107:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `synchronize'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:120:in `dispatch_cgi'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:35:in `dispatch'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:76:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `synchronize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:159:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:282:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:128:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/command.rb:212:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:281
C:/Ruby/bin/mongrel_rails:19:in `load'
C:/Ruby/bin/mongrel_rails:19
...
No close tag for /lists/list
Line: 
Position: 
Last 80 unconsumed characters:
Output was:
 <?xml version="1.0"?>
<lists>
<list
   path="https://testpc:8443/svn/Proj1">
Rendering template within layouts/base
Rendering repositories/show
Completed in 1.70200 (0 reqs/sec) | Rendering: 0.03000 (1%) | DB: 0.00000 (0%) | 200 OK [http://localhost/repositories/show/Proj1]

Does somebody know what is wrong and how to fix this?

#4 Updated by _ emesz _ about 12 years ago

Ok, I fixed this :)
I changed line 228 in subversion_adapter.rb

Original line was:

str << " --no-auth-cache --non-interactive" 

Changed line looks like this:
str << " --no-auth-cache --trust-server-cert --non-interactive" 

#5 Updated by Vlad Gurovich about 12 years ago

_ emesz _ wrote:

Ok, I fixed this :)
I changed line 228 in subversion_adapter.rb

Original line was:
[...]
Changed line looks like this:
[...]

unfortunately --trust-server-cert is only available in Subversion 1.6

#6 Updated by Yar n over 11 years ago

  • Status changed from Closed to Reopened

so,
ho fix it? %)

--trust-server-cert doesn't work.
saved cert with svn command - and it doesn't work too.

#7 Updated by Petr Losa over 11 years ago

I have a same problem

...
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
 <?xml version="1.0"?>
<lists>
<list
   path="https://subversion.losa.cz">
Rendering template within layouts/base

#8 Updated by Rimas Kabašinskas over 11 years ago

had same problem here as above with svn 1.5.
solved like this:

edited the redmine/lib/redmine/scm/adapters/subversion_adapter.rb from:

#SVN executable name
SVN_BIN = "svn "

to

SVN_BIN = "svn --config-dir /tmp/subversion_config "
don't forget to let access to to this dir to redmine user (i'm runing redmine as redmine user)

run this command to cache certificate data (replace xxx with your data):

su redmine -c 'svn list --config-dir /tmp/subversion_config --xml https://xxx/svn/xxx/trunk'

restarted redmine.

#9 Updated by Petr Losa over 11 years ago

hmm, no change, still error:

No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
 <?xml version="1.0"?>
<lists>
<list
   path="https://subversion.losa.cz/delphi/WifiLINK">
Rendering template within layouts/base

#10 Updated by Everard Brown over 11 years ago

I am also having this problem:
redmine-0.9.3
subversion-1.6.9

Maybe this is a red herring but...

When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?

#11 Updated by Everard Brown over 11 years ago

Everard Brown wrote:

I am also having this problem:
redmine-0.9.3
subversion-1.6.9

Maybe this is a red herring but...

When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?

It was indeed a red-herring. I switched from mongrel back to WEBrick and it is working again now - if I find out what's up with my mongrel setup I'll report back.

#12 Updated by Holger Just over 11 years ago

  • Status changed from Reopened to Closed

Please open a thread in the forums to get help. The issue tracker is not suited for that.

#13 Updated by zeerd emneg about 11 years ago

Any news for this?
Or it's moved to the forum already -- if so , what's the new url?

Meet the same issues , too .

#14 Updated by Jose Mari M over 10 years ago

Caution, because if the ssl certified is expired the error is the same:

# su - redmice -c "svn list --config-dir /tmp/subversion_config --xml https://test.com/svn/project/trunk"
...
Certificate information:
- Hostname: test.com
- Valid: from Jun 8 10:15:12 2010 GMT until Jun 8 10:15:12 2011 GMT
...
svn: OPTIONS of 'https://test.com/svn/project/trunk': Server certificate verification failed: certificate has expired, issuer is not trusted (https://test.com

#15 Updated by Kos Huang about 10 years ago

Hi all,

I am confused in this issue for a long time and found a solution finally.

The following web page is the reference.
http://huawuya.blog.hexun.com/62094448_d.html

I did two steps to solve this problem.

1.execute following instruction to let your computer trust SVN Server.

svn ls --config-option config:auth:store-auth-creds=yes https://111.222.111.222:8443/svn/myproject

2. Modify [redmine]\lib\redmine\scm\adapters\subversion_adapter.rb line 265:

from

str << " --no-auth-cache --non-interactive"

to

str << " --no-auth-cache --non-interactive --config-dir \"C:/Documents and Settings/myaccount/Application Data/Subversion\""

for win7 :

to

"--no-auth-cache --non-interactive --config-dir C:/Users/CD-SVN/AppData/Roaming/Subversion"

then restart redmine and it worked!!

Hope it will work for your environment.

#16 Updated by Mario Di Vece about 9 years ago

Just wanted to update everyone trying to get this to work: The solution provided by Kos Huang works. (I'm using version 2.0.3)
I tried everything until I bumped into this.
Thanks so much Kos!

#17 Updated by Luc GIROUX over 8 years ago

Solution From Kos Huang worked for me too but with an exception:

I changed subversion_adapter.rb

from

str << " --no-auth-cache --non-interactive" 

to

str << " --no-auth-cache --trust-server-cert --non-interactive" 

#18 Updated by Aleksandar Pavic about 5 years ago

I can confirm this issue in:

Environment:
  Redmine version                2.5.2.stable
  Ruby version                   1.9.3-p551 (2014-11-13) [x86_64-linux]
  Rails version                  3.2.19
  Environment                    production
  Database adapter               Mysql2
SCM:
  Subversion                     1.8.8

With same dump in log file:

Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list

The expected behavior would be to accept different server certificate.

In my case, certificate had expired, and I replaced it with Lets Encrypt certificate.

The ONLY solution that worked for me:

1. logged in as redmine user to server console (su - myredmineuser)
2. performed svn list https://myRedmineRepo
3. accepted certificate permanently
4. logged in back to my Redmine and clicked on repository - now working

#19 Updated by Aleksandar Pavic about 5 years ago

Update, supposigly SVN 1.9 does have a new flag for this:

--trust-server-cert         : deprecated; same as --trust-server-cert-failures=unknown-ca
--trust-server-cert-failures ARG : with --non-interactive, accept SSL server
                             certificates with failures; ARG is comma-separated
                             list of 'unknown-ca' (Unknown Authority),
                             'cn-mismatch' (Hostname mismatch), 'expired'
                             (Expired certificate), 'not-yet-valid' (Not yet
                             valid certificate) and 'other' (all other not
                             separately classified certificate errors).

So in my case, change in svn_adapter.rb should be:


str << " --no-auth-cache --trust-server-cert-failures=cn-mismatch --non-interactive" 

Also available in: Atom PDF