Bug 502451
Summary: | X509v1 CA certificate is not trusted | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bjorge Solli <bjorge> |
Component: | neon | Assignee: | Joe Orton <jorton> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | abo, fitzsim, jorton, tmraz, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 0.28.6-1.fc10 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-08-20 20:59:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bjorge Solli
2009-05-25 11:04:47 UTC
There's a Cybertrust root in the F-11 ca-certificates. Is it possible for you to update the F10 package too? I have 500 systems, many used by student programmers that use subversion. I don't see that I can manage upgrade them all anytime soon. Is it possible to drop a file in /etc/pki/tls/certs to fix it or even install the F11 rpm? Regards Bjørge Solli sysadm University of Bergen, Norway. ca-certificates-2009-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ca-certificates-2009-1.fc10 Please try this build: http://koji.fedoraproject.org/koji/buildinfo?buildID=103784 and report feedback either here or via the update tracker link in comment 3. ca-certificates-2009-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ca-certificates'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5649 I still get this error: $ rpm -q ca-certificates ca-certificates-2009-1.fc10.noarch $ svn co https://subversion.uib.no/repos/test Error validating server certificate for 'https://subversion.uib.no:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: subversion.uib.no - Valid: from Wed, 20 May 2009 12:37:17 GMT until Sun, 20 May 2012 12:37:17 GMT - Issuer: Educational CA, Cybertrust, BE - Fingerprint: b5:50:ee:5f:0b:85:5e:9d:20:5e:5d:45:92:19:67:31:ec:43:21:36 (R)eject, accept (t)emporarily or accept (p)ermanently? r svn: OPTIONS of 'https://subversion.uib.no/repos/test': Server certificate verification failed: issuer is not trusted (https://subversion.uib.no) $ uname -a Linux it010240.klientdrift.uib.no 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Thanks for testing this out. The problem is in fact that the root CA you're using is a X509v1 cert, and such certs are not trusted by default in GnuTLS. I've built an updated version of neon which fixes this issue and this works fine with your https://subversion.uib.no/ server (I hope that testing against that is OK). http://koji.fedoraproject.org/koji/buildinfo?buildID=104029 neon-0.28.4-1.1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/neon-0.28.4-1.1.fc10 Please leave feedback via the update system link above if this works for you. Please test against our server, no problem. Updating neon did the trick. Subversion now works fine against our svn repo. Is it a bad thing that we use a v1 certificate? We are in the educational section in norway and all educational institutions in norway gets their ssl certificates from the same place.. To be clear - it is the root CA using an X.509 v1 cert here, not the server cert you are using. I don't think it's actively harmful to be using a v1 root cert. That particular root expires in only 2018 anyway, so, you'll migrate to some other root at some point ;) Thanks for testing out the packages. neon-0.28.4-1.1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update neon'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5675 neon-0.28.6-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/neon-0.28.6-1.fc10 neon-0.28.6-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 494350 has been marked as a duplicate of this bug. *** |