Defect #787
closed
Subversion: Handle failed certificate verification
Added by David Förster almost 17 years ago.
Updated about 8 years ago.
Description
When the server certificate of the webserver, serving a subversion repository over HTTPS cannot be verified, redmine just fails silently. The expected behaviour is to be prompted whether to accept the certificate anyway or to get the error message displayed at least.
This is the complete error message from the logfile:
Processing RepositoriesController#show (for 85.180.74.128 at 2008-03-04 15:04:14) [GET]
Session ID: fb94e477592f7e94e903cde5618a5a48
Parameters: {"action"=>"show", "id"=>"1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for ["lists", "list"]>
/usr/lib/ruby/1.8/rexml/parsers/treeparser.rb:26:in `parse'
/usr/lib/ruby/1.8/rexml/document.rb:190:in `build'
/usr/lib/ruby/1.8/rexml/document.rb:45:in `initialize'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `new'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:73:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `call'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:118:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `popen'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/abstract_adapter.rb:116:in `shellout'
/home/dave/web/private.dfoerster.de/redmine-0.6/lib/redmine/scm/adapters/subversion_adapter.rb:70:in `entries'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/models/repository.rb:42:in `entries'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `send'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/associations/association_proxy.rb:125:in `method_missing'
/home/dave/web/private.dfoerster.de/redmine-0.6/app/controllers/repositories_controller.rb:54:in `show'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:1158:in `perform_action_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:697:in `call_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:689:in `perform_action_without_benchmark'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/rescue.rb:199:in `perform_action_without_caching'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:678:in `perform_action'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
/var/lib/gems/1.8/gems/activerecord-2.0.2/lib/active_record/query_cache.rb:8:in `cache'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/caching.rb:677:in `perform_action'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `send'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:524:in `process_without_filters'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/filters.rb:685:in `process_without_session_management_support'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:123:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/base.rb:388:in `process'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:171:in `handle_request'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:115:in `dispatch'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:126:in `dispatch_cgi'
/var/lib/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/dispatcher.rb:9:in `dispatch'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:101:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:149:in `with_signal_handler'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:99:in `process_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:77:in `process_each_request'
/usr/lib/ruby/1.8/fcgi.rb:612:in `each_cgi'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each'
/usr/lib/ruby/1.8/fcgi.rb:609:in `each_cgi'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:76:in `process_each_request'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:50:in `process!'
/var/lib/gems/1.8/gems/rails-2.0.2/lib/fcgi_handler.rb:24:in `process!'
/home/dave/web/private.dfoerster.de/htdocs/redmine/dispatch.fcgi:24
...
No close tag for ["lists", "list"]
Line:
Position:
Last 80 unconsumed characters:
Output was:
Error validating server certificate for 'https://i72projekte.tm.uka.de:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: i72projekte.tm.uni-karlsruhe.de
- Valid: from Wed, 18 Apr 2007 07:56:45 GMT until Thu, 17 Apr 2008 07:56:45 GMT
- Issuer: Institut fuer Telematik, Universitaet Karlsruhe, Karlsruhe, DE
- Fingerprint: 1c:d8:74:f4:eb:f3:25:94:06:e2:9d:0e:93:02:2e:66:65:3c:14:ca
(R)eject, accept (t)emporarily or accept (p)ermanently? svn: PROPFIND request failed on '/svn-repositories/Projekte/KAI/trunk'
svn: PROPFIND of '/svn-repositories/Projekte/KAI/trunk': Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted (https://i72projekte.tm.uka.de)
<?xml version="1.0"?>
<lists>
<list
path="https://i72projekte.tm.uka.de/svn-repositories/Projekte/KAI/trunk">
Rendering template within layouts/base
Completed in 0.52444 (1 reqs/sec) | Rendering: 0.02560 (4%) | DB: 0.00000 (0%) | 200 OK [https://private.dfoerster.de/redmine/repositories/show/1]
cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.
- Status changed from New to Closed
- Resolution set to Wont fix
Pim Snel wrote:
cal the url using svn from the command line as the user running redmine will fix this. You are asked the accept the certificate and then redmine also works.
This solution works when Redmine was started using command
"ruby script/server webrick -e production"
but if Redmine was installed as a windows service this solution doesn't work. I can list repository using cmd and typing
svn list --xml "https://my_svn_location"@HEAD
but at my local redmine site I don't see the repository content.
This is the error message from the log file:
Processing RepositoriesController#show (for 127.0.0.1 at 2009-10-06 09:37:15) [GET]
Session ID: cc9b1b6dda5ca4c9ade6b232fc88620b
Parameters: {"action"=>"show", "id"=>"Proj1", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list>
C:/Ruby/lib/ruby/1.8/rexml/parsers/treeparser.rb:28:in `parse'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:205:in `build'
C:/Ruby/lib/ruby/1.8/rexml/document.rb:42:in `initialize'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `new'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:86:in `entries'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `call'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:177:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `popen'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:175:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/abstract_adapter.rb:165:in `shellout'
c:/Redmine/lib/redmine/scm/adapters/subversion_adapter.rb:83:in `entries'
c:/Redmine/app/models/repository.rb:63:in `entries'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `send'
c:/Redmine/vendor/rails/activerecord/lib/active_record/associations/association_proxy.rb:173:in `method_missing'
c:/Redmine/app/controllers/repositories_controller.rb:71:in `show'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:1166:in `perform_action_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:579:in `call_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:572:in `perform_action_without_benchmark'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
C:/Ruby/lib/ruby/1.8/benchmark.rb:293:in `measure'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/rescue.rb:201:in `perform_action_without_caching'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:13:in `perform_action'
c:/Redmine/vendor/rails/activerecord/lib/active_record/connection_adapters/abstract/query_cache.rb:33:in `cache'
c:/Redmine/vendor/rails/activerecord/lib/active_record/query_cache.rb:8:in `cache'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/caching/sql_cache.rb:12:in `perform_action'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `send'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:529:in `process_without_filters'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/filters.rb:568:in `process_without_session_management_support'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/session_management.rb:130:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/base.rb:389:in `process'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:149:in `handle_request'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:107:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `synchronize'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:104:in `dispatch'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:120:in `dispatch_cgi'
c:/Redmine/vendor/rails/actionpack/lib/action_controller/dispatcher.rb:35:in `dispatch'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:76:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `synchronize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/rails.rb:74:in `process'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:159:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:158:in `process_client'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:285:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `initialize'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `new'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel.rb:268:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:282:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `each'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/configurator.rb:281:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:128:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/../lib/mongrel/command.rb:212:in `run'
C:/Ruby/lib/ruby/gems/1.8/gems/mongrel-1.1.5-x86-mswin32-60/bin/mongrel_rails:281
C:/Ruby/bin/mongrel_rails:19:in `load'
C:/Ruby/bin/mongrel_rails:19
...
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
<?xml version="1.0"?>
<lists>
<list
path="https://testpc:8443/svn/Proj1">
Rendering template within layouts/base
Rendering repositories/show
Completed in 1.70200 (0 reqs/sec) | Rendering: 0.03000 (1%) | DB: 0.00000 (0%) | 200 OK [http://localhost/repositories/show/Proj1]
Does somebody know what is wrong and how to fix this?
Ok, I fixed this :)
I changed line 228 in subversion_adapter.rb
Original line was:
str << " --no-auth-cache --non-interactive"
Changed line looks like this:
str << " --no-auth-cache --trust-server-cert --non-interactive"
_ emesz _ wrote:
Ok, I fixed this :)
I changed line 228 in subversion_adapter.rb
Original line was:
[...]
Changed line looks like this:
[...]
unfortunately --trust-server-cert is only available in Subversion 1.6
- Status changed from Closed to Reopened
so,
ho fix it? %)
--trust-server-cert doesn't work.
saved cert with svn command - and it doesn't work too.
I have a same problem
...
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
<?xml version="1.0"?>
<lists>
<list
path="https://subversion.losa.cz">
Rendering template within layouts/base
had same problem here as above with svn 1.5.
solved like this:
edited the redmine/lib/redmine/scm/adapters/subversion_adapter.rb from:
#SVN executable name
SVN_BIN = "svn "
to
SVN_BIN = "svn --config-dir /tmp/subversion_config "
don't forget to let access to to this dir to redmine user (i'm runing redmine as redmine user)
run this command to cache certificate data (replace xxx with your data):
su redmine -c 'svn list --config-dir /tmp/subversion_config --xml https://xxx/svn/xxx/trunk'
restarted redmine.
hmm, no change, still error:
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
<?xml version="1.0"?>
<lists>
<list
path="https://subversion.losa.cz/delphi/WifiLINK">
Rendering template within layouts/base
I am also having this problem:
redmine-0.9.3
subversion-1.6.9
Maybe this is a red herring but...
When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?
Everard Brown wrote:
I am also having this problem:
redmine-0.9.3
subversion-1.6.9
Maybe this is a red herring but...
When I run 'svn list -xml' via CLI, there is a long pause in the output exactly at the place where redmine reports the error. Is it possible that the REXML parser is terminating it's input due to some kind of time out?
It was indeed a red-herring. I switched from mongrel back to WEBrick and it is working again now - if I find out what's up with my mongrel setup I'll report back.
- Status changed from Reopened to Closed
Please open a thread in the forums to get help. The issue tracker is not suited for that.
Any news for this?
Or it's moved to the forum already -- if so , what's the new url?
Meet the same issues , too .
Caution, because if the ssl certified is expired the error is the same:
# su - redmice -c "svn list --config-dir /tmp/subversion_config --xml
https://test.com/svn/project/trunk"
...
Certificate information:
- Hostname: test.com
- Valid: from Jun 8 10:15:12 2010 GMT until Jun 8 10:15:12 2011 GMT
...
svn: OPTIONS of 'https://test.com/svn/project/trunk': Server certificate verification failed: certificate has expired, issuer is not trusted (
https://test.com
Hi all,
I am confused in this issue for a long time and found a solution finally.
The following web page is the reference.
http://huawuya.blog.hexun.com/62094448_d.html
I did two steps to solve this problem.
1.execute following instruction to let your computer trust SVN Server.
svn ls --config-option config:auth:store-auth-creds=yes https://111.222.111.222:8443/svn/myproject
2. Modify [redmine]\lib\redmine\scm\adapters\subversion_adapter.rb line 265:
from
str << " --no-auth-cache --non-interactive"
to
str << " --no-auth-cache --non-interactive --config-dir \"C:/Documents and Settings/myaccount/Application Data/Subversion\""
for win7 :
to
"--no-auth-cache --non-interactive --config-dir C:/Users/CD-SVN/AppData/Roaming/Subversion"
then restart redmine and it worked!!
Hope it will work for your environment.
Just wanted to update everyone trying to get this to work: The solution provided by Kos Huang works. (I'm using version 2.0.3)
I tried everything until I bumped into this.
Thanks so much Kos!
Solution From Kos Huang worked for me too but with an exception:
I changed subversion_adapter.rb
from
str << " --no-auth-cache --non-interactive"
to
str << " --no-auth-cache --trust-server-cert --non-interactive"
I can confirm this issue in:
Environment:
Redmine version 2.5.2.stable
Ruby version 1.9.3-p551 (2014-11-13) [x86_64-linux]
Rails version 3.2.19
Environment production
Database adapter Mysql2
SCM:
Subversion 1.8.8
With same dump in log file:
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list
The expected behavior would be to accept different server certificate.
In my case, certificate had expired, and I replaced it with Lets Encrypt certificate.
The ONLY solution that worked for me:
1. logged in as redmine user to server console (su - myredmineuser)
2. performed svn list https://myRedmineRepo
3. accepted certificate permanently
4. logged in back to my Redmine and clicked on repository - now working
Update, supposigly SVN 1.9 does have a new flag for this:
--trust-server-cert : deprecated; same as --trust-server-cert-failures=unknown-ca
--trust-server-cert-failures ARG : with --non-interactive, accept SSL server
certificates with failures; ARG is comma-separated
list of 'unknown-ca' (Unknown Authority),
'cn-mismatch' (Hostname mismatch), 'expired'
(Expired certificate), 'not-yet-valid' (Not yet
valid certificate) and 'other' (all other not
separately classified certificate errors).
So in my case, change in svn_adapter.rb should be:
str << " --no-auth-cache --trust-server-cert-failures=cn-mismatch --non-interactive"
Also available in: Atom
PDF