Bug 502451 - X509v1 CA certificate is not trusted
X509v1 CA certificate is not trusted
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: neon (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
: 494350 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-25 07:04 EDT by Bjorge Solli
Modified: 2009-09-01 08:57 EDT (History)
5 users (show)

See Also:
Fixed In Version: 0.28.6-1.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-20 16:59:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bjorge Solli 2009-05-25 07:04:47 EDT
Description of problem:
The subversion is missing a large ssl certificate authority; Educational CA, Cybertrust, BE. This works fine on other distros and even in RedHatEnterpriseServer 5.3. It also works fine in firefox on the same machines.

Version-Release number of selected component (if applicable):
subversion-1.5.4-3.x86_64
subversion-1.5.4-3.i386

Steps to Reproduce:
$ svn co https://subversion.uib.no/repos/test
Error validating server certificate for 'https://subversion.uib.no:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: subversion.uib.no
 - Valid: from Wed, 20 May 2009 12:37:17 GMT until Sun, 20 May 2012 12:37:17 GMT
 - Issuer: Educational CA, Cybertrust, BE
 - Fingerprint: b5:50:ee:5f:0b:85:5e:9d:20:5e:5d:45:92:19:67:31:ec:43:21:36
(R)eject, accept (t)emporarily or accept (p)ermanently?
Comment 1 Joe Orton 2009-05-25 15:30:52 EDT
There's a Cybertrust root in the F-11 ca-certificates.
Comment 2 Bjorge Solli 2009-05-25 17:13:41 EDT
Is it possible for you to update the F10 package too? I have 500 systems, many used by student programmers that use subversion. I don't see that I can manage upgrade them all anytime soon. Is it possible to drop a file in /etc/pki/tls/certs to fix it or even install the F11 rpm?

Regards
Bjørge Solli
sysadm University of Bergen, Norway.
Comment 3 Fedora Update System 2009-05-27 06:03:37 EDT
ca-certificates-2009-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ca-certificates-2009-1.fc10
Comment 4 Joe Orton 2009-05-27 06:05:22 EDT
Please try this build:

http://koji.fedoraproject.org/koji/buildinfo?buildID=103784

and report feedback either here or via the update tracker link in comment 3.
Comment 5 Fedora Update System 2009-05-28 04:17:57 EDT
ca-certificates-2009-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ca-certificates'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5649
Comment 6 Bjorge Solli 2009-05-29 02:22:47 EDT
I still get this error:

$ rpm -q ca-certificates
ca-certificates-2009-1.fc10.noarch
$ svn co https://subversion.uib.no/repos/test
Error validating server certificate for 'https://subversion.uib.no:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: subversion.uib.no
 - Valid: from Wed, 20 May 2009 12:37:17 GMT until Sun, 20 May 2012 12:37:17 GMT
 - Issuer: Educational CA, Cybertrust, BE
 - Fingerprint: b5:50:ee:5f:0b:85:5e:9d:20:5e:5d:45:92:19:67:31:ec:43:21:36
(R)eject, accept (t)emporarily or accept (p)ermanently? r
svn: OPTIONS of 'https://subversion.uib.no/repos/test': Server certificate verification failed: issuer is not trusted (https://subversion.uib.no)
$ uname -a
Linux it010240.klientdrift.uib.no 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
Comment 7 Joe Orton 2009-05-29 06:42:26 EDT
Thanks for testing this out.

The problem is in fact that the root CA you're using is a X509v1 cert, and such certs are not trusted by default in GnuTLS.

I've built an updated version of neon which fixes this issue and this works fine with your https://subversion.uib.no/ server (I hope that testing against that is OK).

http://koji.fedoraproject.org/koji/buildinfo?buildID=104029
Comment 8 Fedora Update System 2009-05-29 06:51:35 EDT
neon-0.28.4-1.1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/neon-0.28.4-1.1.fc10
Comment 9 Joe Orton 2009-05-29 07:00:22 EDT
Please leave feedback via the update system link above if this works for you.
Comment 10 Bjorge Solli 2009-05-29 07:07:48 EDT
Please test against our server, no problem.

Updating neon did the trick. Subversion now works fine against our svn repo.

Is it a bad thing that we use a v1 certificate? We are in the educational section in norway and all educational institutions in norway gets their ssl certificates from the same place..
Comment 11 Joe Orton 2009-05-29 09:27:10 EDT
To be clear - it is the root CA using an X.509 v1 cert here, not the server cert you are using.  I don't think it's actively harmful to be using a v1 root cert.  

That particular root expires in only 2018 anyway, so, you'll migrate to some other root at some point ;)

Thanks for testing out the packages.
Comment 12 Fedora Update System 2009-05-29 22:31:24 EDT
neon-0.28.4-1.1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update neon'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5675
Comment 13 Fedora Update System 2009-08-19 04:36:32 EDT
neon-0.28.6-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/neon-0.28.6-1.fc10
Comment 14 Fedora Update System 2009-08-20 16:59:27 EDT
neon-0.28.6-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Joe Orton 2009-09-01 08:57:23 EDT
*** Bug 494350 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.