我正在管理一个基于 subversion 的构建系统,我们对服务器使用自签名 ssl。因此,我们有时会遇到构建失败的情况,因为添加了一台新机器,并且由于这是该机器第一次联系 svn 服务器而无法签出。
错误消息如下:
icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: scm.myserver.com
- Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
- Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
- Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently?
我通常需要的是类似 --insecure 参数的curl。现在,我们的解决方法是只执行一些简单的 svn 命令,以便我们可以“永久”回答并且问题将得到解决......至少直到 ssl 证书再次更改/更新或在另一个新证书上完成构建机器。
有人解决这个问题了吗?
提前致谢 :)
I'm managing a subversion-based build system and we use a self-signed ssl for the server. So from time to time, we get build failures because a new machine has been added and it can't checkout since it's the first time for that machine to contact the svn server.
The error message is like:
icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: scm.myserver.com
- Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
- Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
- Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently?
What I typically need is something like --insecure parameter to curl. Right now, our workaround is to just do some simple svn command so that we could answer "permanently" to and the issue would be solved...at least until the ssl certificate gets changed/renewed again or the build is done on another new machine.
Has someone solved this issue?
Thanks in advance :)
发布评论
评论(4)
我想你有两个选择;抛开所有的谨慎,从命令行设置 trust-server-cert 和非交互:
另一个选项是使用 openssl s_client 和 -showcerts 之类的东西来检查和验证证书在 svn 调用之前是否已更改 - 然后要么非常干净地中止并让人类做出判断,要么做一些肮脏的事情 - 比如使用 -showcert 更新 ~/.subversion 中的已知证书。
无论哪种情况 - 有点不直观的魔力都在 ~/.subversion/auth/svn.ssl.server/> 中的文件上。 - 提取您需要的证书信息:
或类似的东西
,然后可以使用 openssl s_client 和 -CApath 或使用该证书进行验证以查看它是否已更改和/或使用 -showcert 进行交叉检查。 (注意:如果需要,请用 perl -e 'use MIME::Base64;print Decode_base64(join("",));' 替换 Base64decode)。
I guess you have two options; throwing all caution overboard and setting trust-server-cert and non interactive from the command line:
and the other option is to use something like openssl s_client with -showcerts to check and validate if the cert has changed prior to the svn call -and then either abort very cleanly and let a human make the judgment call, or something dirty - like using the -showcert to update the known cert in ~/.subversion.
In either case - the bit of nonintuitive magic is on the files in ~/.subversion/auth/svn.ssl.server/
<serverrecord> - to extract the cert info you need:or something like
and can then use openssl s_client with -CApath or verify with that cert to see if it has changed and/or use -showcert to cross check. (Note: substitute perl -e 'use MIME::Base64;print decode_base64(join("",));' for base64decode if needed).
另一种选择是使用expect。使用expect您可以模拟接受证书的用户。当其他选项不起作用时它会起作用。我创建这个是为了可以从 Dockerfile 中的 svn 下载代码。
Another option is to use expect. Using expect you can simulate a user accepting the certificate. It will work when other options won't. I created this so that I could download code from svn in a Dockerfile.
在这种情况下,你有另一个 svn 版本,它没有问题,
所以复制: cp -r .subversion/auth ...到受影响系统的 .subversion ...
under circtumstance you have another svn version, wich has no problems
so copy: cp -r .subversion/auth ...to the .subversion of affected system...
有两种可能的情况:证书不受信任,但有效(例如有效的自签名证书),或者证书无效(例如当您通过 IP 或通过 FQDN 从 LAN 外部访问计算机时)该机器具有为其符号名称颁发的证书)。即使使用 --trust-server-certificate 选项,svn 客户端也不会信任第二种类型的证书。在第二种情况下,我能想到的唯一选择是使用主机文件条目将该计算机的 IP 别名为其内部名称。
我曾经遇到过场景 2 的插图,当 VisualSVN 使用所有默认选项安装并为其发现的计算机符号名称生成一个证书时:
LAN 计算机名称 MACHINE1 运行 SVN 服务器,并且安装了颁发给 MACHINE1 的证书。您尝试通过 IP 地址访问 SVN,并收到无效证书错误。
如果可以通过 FQDN(例如
svn.domain.com)从 LAN 外部访问 MACHINE1,并且您正在连接到 FQDN,您也会收到该错误。在这两种情况下 svn 都会抛出无效证书错误。
您可以向
hosts文件添加一个条目,以将计算机的 IP 地址(LAN 或外部,具体取决于您从何处访问它)映射到证书颁发给的名称:并通过 https://machine1/svn/ 来规避这种情况。
There are two possible scenarios: certificate is untrusted, but valid (i.e. a valid self-signed cert for example), or certificate is invalid (such as when you are accessing a machine on your LAN by IP or from outside your LAN by FQDN and that machine has a certificate issued to its symbolic name). svn client will not trust the 2nd type of cert even if using --trust-server-certificate option. In the 2nd scenario your only option I can think of is to use a hosts file entry to alias that machine's IP to its internal name.
Illustration of the scenario 2 that I once faced when VisualSVN was installed with all default option and generated a cert to the machine's symbolic name that it discovered:
LAN machine name MACHINE1 runs SVN server and it has a certificate installed that was issued to MACHINE1. You are trying to access SVN via its IP address and getting invalid certificate error.
You would also get that error if that MACHINE1 is accessible from outside your LAN by FQDN for example
svn.domain.comand you are connecting to FQDN.In both cases svn would throw the invalid certificate error.
You can add an entry to the
hostsfile to map the machine's IP address (LAN or external depending on where you are accessing it from) to the name certificate was issued to:and access SVN via https://machine1/svn/ to circumvent this situation.