Pet*_*rCJ 5 https certificate ssl svn
当 Bettercodes.org 在 9 月消失时,我将我的私人仓库移到了https://subversion.assembla.com/。它工作得很好,除了每次与服务器交互时我都必须暂时接受证书。
> svn --version
svn, version 1.8.4 (r1534716)
> svn update .
Updating '.':
Error validating server certificate for 'https://subversion.assembla.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate has an unknown error.
Certificate information:
- Hostname: *.assembla.com
- Valid: from Apr 16 13:31:17 2014 GMT until Mar 24 19:30:40 2016 GMT
- Issuer: http://certs.godaddy.com/repository/, GoDaddy.com, Inc., Scottsdale, Arizona, US
- Fingerprint: EC:9F:9D:B2:39:E1:34:81:7B:27:F6:51:30:8B:AC:41:5B:62:09:19
(R)eject or accept (t)emporarily? t
它没有让我选择永久接受(p),就像我的前几次搜索表明的那样。我猜这是因为“未知错误”。
根据https://serverfault.com/questions/27006/svn-wont-accept-my-invalid-certificate,我尝试更新 [global]:ssl-authority-files 以包含来自汇编的证书,并设置 ssl-trust -default-ca 为真。它仍然给出那个错误。
当这不起作用时,我深入研究了 ~/.subversion/auth/svn.ssl.server/___ 文件的格式,想出了如何从 SSL 证书中获取相同名称和编码到该文件中,好像我说过“(p)永久”......但它仍然每次都给出同样的错误和提示。
随着时间的推移,我浏览了其他 stackexchange 答案,这些答案让我看到了诸如从 curl.haxx.se 下载 cacert.pem 并将其添加到 ssl-authority-files 之类的内容:当我尝试这样做时,我得到:
svn: E125009: Unable to connect to a repository at URL 'https://subversion.assembla.com/svn/[...my repo path...]'
svn: E125009: Invalid config: unable to load certificate file '/users/jonespet/.subversion/auth/ssl.certs/cacerts.pem'
我把 cacerts.pem 拿回来了,因为它让事情变得更糟,而不是更好。:-(
所以我使用firefox查看了汇编证书,与上面错误中提到的godaddy证书列表进行了比较,并找出了我认为我需要的那些:我下载了godaddy的gdroot-g2.crt和gdig2.crt,但没有没有帮助。
使用Subversion 对其 CA 列表使用什么?, 我试过
> openssl s_client -connect subversion.assembla.com:443 -showcerts
...
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.assembla.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.assembla.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 4910 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
...
Verify return code: 19 (self signed certificate in certificate chain)
---
我认为返回码 19 是因为 Go Daddy 的 Class 2 证书颁发机构是自签名的。但我会认为这没问题,因为我特别告诉 svn 信任该证书。
那么,我还能做些什么来让 Subversion 停止要求我暂时接受该证书?还是我每次更新、提交等都被 t 卡住了?
2015 年 11 月 23 日编辑
根据评论,我去寻找“某种错误(代码 19 除外)”,但无法复制它。我认为它一定是我的记忆将来自 svn 的“未知错误”与来自 openssl 的更详细的代码 19 结合起来。所以在这方面没有新的信息。
我尝试访问我可以在其他网络上访问的其他一些 linux 机器。
一方面,它没有安装 svn,但是
# openssl version
OpenSSL 0.9.7m 23 Feb 2007
给出与上面相同的代码 19。
第二,我得到:
[~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[~]# svn --version
svn, version 1.7.4 (r1295709)
compiled Apr 5 2012, 16:46:24
[~]# openssl s_client -connect subversion.assembla.com:443 -showcerts
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.assembla.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.assembla.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.assembla.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5439 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D5163A837AE5DEAFA2ED82B437F560A87DC7146FE819D9410B97174FAD7E2A67
Session-ID-ctx:
Master-Key: E4CCC925DC619A507ADAEEA688BD018A4419A0499C246764D9419542C1BF20F5A4C42B41FC6A776AD33915C20A83149B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - aa ad c7 b3 f2 f1 1e 77-9b 4f f6 23 73 3b 75 70 .......w.O.#s;up
0010 - dd bb 03 6c 96 31 b4 07-b0 55 b7 56 2f 32 c8 e5 ...l.1...U.V/2..
0020 - da 46 06 27 53 79 18 a3-6d a4 8b f2 4c b1 8b e0 .F.'Sy..m...L...
0030 - a2 04 ba 46 95 bb 3e c1-d3 72 69 59 01 18 2b 1c ...F..>..riY..+.
0040 - ba 5d dd ab 96 74 6e 01-db a2 96 54 75 de 4b f6 .]...tn....Tu.K.
0050 - db ae c3 91 e4 fb fb 88-aa e3 f5 e1 bd bd 02 c8 ................
0060 - c7 ef 54 63 2f d3 ae 4d-14 6b 47 fa 78 13 06 7f ..Tc/..M.kG.x...
0070 - a9 ba 31 23 b2 bf 6e 92-05 c3 35 ce 93 5f 2f 2e ..1#..n...5.._/.
0080 - 03 b3 f9 e7 f4 56 ed e7-c2 20 d9 65 8e b4 e2 e4 .....V... .e....
0090 - 38 b6 e5 78 c0 af f8 12-ca 32 03 15 e2 a9 2a 4e 8..x.....2....*N
00a0 - ec 62 6b 71 c1 dd 66 4a-96 1b f2 e9 e2 5d 86 96 .bkq..fJ.....]..
00b0 - c2 3c 71 13 00 b3 16 f8-fd 45 7b 0d 2c aa 8f 6c .<q......E{.,..l
Start Time: 1448304537
Timeout : 300 (sec)
Verify return code: 0 (ok)
当我尝试在 assembla 连接到我的 repo 时,它不会抱怨证书。所以那台机器没有证书链问题。显然,它实际上信任 GoDaddy。
从https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/查看一些建议的证书位置,在提供代码:0,我找到了
# ls -latr /etc/pki/tls/certs/ca-bundle.*
-rw-r--r-- 2 root root 1066943 Apr 23 2015 /etc/pki/tls/certs/ca-bundle.trust.crt
-rw-r--r-- 2 root root 877042 Apr 23 2015 /etc/pki/tls/certs/ca-bundle.crt
在今天的第一台机器上,没有 svn,它的结构不同,但我确实发现他们有 GoDaddy 的证书
# ls -latr /etc/ssl/certs/Go*
lrwxrwxrwx 1 root root 58 Dec 8 2014 /etc/ssl/certs/Go_Daddy_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
下次我在第一次看到这些问题的机器上时,我将不得不四处寻找这些不同目录中的证书存储,看看中央位置是否有过时的东西。
但我想现在我最想要的帮助是:除了已经为 svn 指出的内容之外,我应该寻找什么 svn 或 openssl 设置,以便弄清楚为什么今天的 openssl 的特定实例正在接受 GoDaddy 的根证书,但是当他们查看同一个证书时,openssl 的原始实例给了它一个代码:19。
2015-Dec-04 编辑
我找不到它的中央证书位置(没有 /etc/ssl 或 /etc/pki 目录)。在这一点上,我可能无法在该特定机器上执行其他操作来消除错误。
小智 2
我不建议将此用于任何严肃的用途,但您可以简单地在标准输入上提供“t”:
svn update . <<< t
其他选项是使用--trust-server-cert:
svn --non-interactive --trust-server-cert update .
适合你的 SVN 版本应该没问题,它是在 1.6 中添加的。
另请参阅此线程,提供了一个很好的期望解决方案: https://serverfault.com/questions/37929/how-do-you-accept-an-ssl-certificate-through-the-svn-command-line
| 归档时间: |
|
| 查看次数: |
8421 次 |
| 最近记录: |