Date: Wed, 5 Aug 2015 15:07:04 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Dimitry Andric <dim@freebsd.org> Cc: Peter Wemm <peter@wemm.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: Unable to relocate to new svn URL Message-ID: <CAN6yY1tv6i3idwBg3WTOr7aBXAAeSMnT-7SmRBPSYTCXP9O=LQ@mail.gmail.com> In-Reply-To: <C5D69B70-A95D-4371-A8F8-5C8ED5E1CCA3@FreeBSD.org> References: <CAN6yY1tez0Zhwt1mo4XdrinZ2OkyFH1U-Ew2VAv%2BWH=4YVv9=g@mail.gmail.com> <C5D69B70-A95D-4371-A8F8-5C8ED5E1CCA3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 5, 2015 at 1:21 PM, Dimitry Andric <dim@freebsd.org> wrote: > On 05 Aug 2015, at 22:05, Kevin Oberman <rkoberman@gmail.com> wrote: > > > > Today I decided to relocate my ports source from the old specific mirror > to > > the new svn.freebsd.org. Seemed like just one easy command, but not > quite. > > > > First, if subversion is built with the default options, it will refuse to > > do https:// with the confusing message that the URL format was not > > recognized. I checked and my svn was notbuilt with SASL. SASL is not on > by > > default. So I rebuilt subversion and now it likes the command, but won't > > accept the certificate: > > Error validating server certificate for 'https://svn.freebsd.org:443': > > - The certificate is not issued by a trusted authority. Use the > > fingerprint to validate the certificate manually! > > Certificate information: > > - Hostname: svn.freebsd.org > > - Valid: from Jun 22 00:00:00 2015 GMT until Jun 22 23:59:59 2016 GMT > > - Issuer: Gandi, Paris, Paris, FR > > - Fingerprint: > E9:37:73:80:B5:32:1B:93:92:94:98:17:59:F0:FA:A2:5F:1E:DE:B9 > > (R)eject, accept (t)emporarily or accept (p)ermanently? > > > > Indeed, it does not appear that Gandi is on the certificate.txt. file > > installed by ca_root_nss. > > Not directly, the Gandi Standard SSL CA 2 certificate is issued by the > following root CA: > > Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d > Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, > CN=USERTrust RSA Certification Authority > > > > Is this a problem with the ca_root_nss port, the certificate, of is > > something hacked? Clearly, I am not about to trust the certificate as it > > now stands. > > Which version of ca_root_nss do you have? Mine is 3.19.1_1, and it > definitely has the above root CA in /etc/ssl/cert.pem. > > -Dimitry > Thanks for the quick response! I'm still confused, though. I have 3.19.2, so it is just a bit newer. But I don't have /etc/ssl/cert.pem. The root certs are installed in /usr/local/share/certs/ca-root-nss.crt. Is something required to get them into /etc/ssl? I confirm that the fingerprints match. Also, the handbook needs a bit of work. It shows the use of svn.freebsd.org, but the text just prior to the example still talks about " the western US repository". Later text discuses the GeoDNS and svn.frebsd.org. (Yes, this is nit-picking.) Any idea why my use of SVN is complaining? Now that I have verified the fingerprint, I can go on and accept the cert, but why is this happening and will it bite others? -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tv6i3idwBg3WTOr7aBXAAeSMnT-7SmRBPSYTCXP9O=LQ>