Description of problem: The subversion is missing a large ssl certificate authority; Educational CA, Cybertrust, BE. This works fine on other distros and even in RedHatEnterpriseServer 5.3. It also works fine in firefox on the same machines. Version-Release number of selected component (if applicable): subversion-1.5.4-3.x86_64 subversion-1.5.4-3.i386 Steps to Reproduce: $ svn co https://subversion.uib.no/repos/test Error validating server certificate for 'https://subversion.uib.no:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: subversion.uib.no - Valid: from Wed, 20 May 2009 12:37:17 GMT until Sun, 20 May 2012 12:37:17 GMT - Issuer: Educational CA, Cybertrust, BE - Fingerprint: b5:50:ee:5f:0b:85:5e:9d:20:5e:5d:45:92:19:67:31:ec:43:21:36 (R)eject, accept (t)emporarily or accept (p)ermanently?
There's a Cybertrust root in the F-11 ca-certificates.
Is it possible for you to update the F10 package too? I have 500 systems, many used by student programmers that use subversion. I don't see that I can manage upgrade them all anytime soon. Is it possible to drop a file in /etc/pki/tls/certs to fix it or even install the F11 rpm? Regards Bjørge Solli sysadm University of Bergen, Norway.
ca-certificates-2009-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ca-certificates-2009-1.fc10
Please try this build: http://koji.fedoraproject.org/koji/buildinfo?buildID=103784 and report feedback either here or via the update tracker link in comment 3.
ca-certificates-2009-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ca-certificates'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5649
I still get this error: $ rpm -q ca-certificates ca-certificates-2009-1.fc10.noarch $ svn co https://subversion.uib.no/repos/test Error validating server certificate for 'https://subversion.uib.no:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: subversion.uib.no - Valid: from Wed, 20 May 2009 12:37:17 GMT until Sun, 20 May 2012 12:37:17 GMT - Issuer: Educational CA, Cybertrust, BE - Fingerprint: b5:50:ee:5f:0b:85:5e:9d:20:5e:5d:45:92:19:67:31:ec:43:21:36 (R)eject, accept (t)emporarily or accept (p)ermanently? r svn: OPTIONS of 'https://subversion.uib.no/repos/test': Server certificate verification failed: issuer is not trusted (https://subversion.uib.no) $ uname -a Linux it010240.klientdrift.uib.no 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
Thanks for testing this out. The problem is in fact that the root CA you're using is a X509v1 cert, and such certs are not trusted by default in GnuTLS. I've built an updated version of neon which fixes this issue and this works fine with your https://subversion.uib.no/ server (I hope that testing against that is OK). http://koji.fedoraproject.org/koji/buildinfo?buildID=104029
neon-0.28.4-1.1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/neon-0.28.4-1.1.fc10
Please leave feedback via the update system link above if this works for you.
Please test against our server, no problem. Updating neon did the trick. Subversion now works fine against our svn repo. Is it a bad thing that we use a v1 certificate? We are in the educational section in norway and all educational institutions in norway gets their ssl certificates from the same place..
To be clear - it is the root CA using an X.509 v1 cert here, not the server cert you are using. I don't think it's actively harmful to be using a v1 root cert. That particular root expires in only 2018 anyway, so, you'll migrate to some other root at some point ;) Thanks for testing out the packages.
neon-0.28.4-1.1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update neon'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5675
neon-0.28.6-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/neon-0.28.6-1.fc10
neon-0.28.6-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 494350 has been marked as a duplicate of this bug. ***