*.svn.sourceforge.net SSL certificate can't be verified.

[keaston]

The SSL certificate on *.svn.sourceforge.net has recently changed. The new certificate is issued by GeoTrust SSL, and this requires the server to be configured to provide the GeoTrust SSL certificate chain to clients. The Sourceforge server is not currently configured to do this, so the certificate cannot be verified. For example, this occurs when updating svn over HTTPS:

caf@cheesypoof:~/bitchx-trunk$ svn update
Error validating server certificate for 'https://bitchx.svn.sourceforge.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.svn.sourceforge.net
 - Valid: from Tue, 01 Feb 2011 03:25:10 GMT until Mon, 05 Mar 2012 04:22:59 GMT
 - Issuer: GeoTrust, Inc., US
 - Fingerprint: 94:74:b3:a9:54:ce:dc:e5:0d:d6:cf:86:b1:40:5a:48:b9:ea:15:de
(R)eject, accept (t)emporarily or accept (p)ermanently? 

OpenSSL s_client confirms that no certificate chain is being sent:

caf@cheesypoof:~$ openssl s_client -showcerts -connect bitchx.svn.sourceforge.ne                                                      t:443
CONNECTED(00000003)
depth=0 /serialNumber=mwH1iE4aIUYIReDTSM23S5jCXnr-73fa/C=US/ST=California/L=Moun                                                      tain View/O=Geeknet, Inc./CN=*.svn.sourceforge.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=mwH1iE4aIUYIReDTSM23S5jCXnr-73fa/C=US/ST=California/L=Moun                                                      tain View/O=Geeknet, Inc./CN=*.svn.sourceforge.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=mwH1iE4aIUYIReDTSM23S5jCXnr-73fa/C=US/ST=California/L=Moun                                                      tain View/O=Geeknet, Inc./CN=*.svn.sourceforge.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=mwH1iE4aIUYIReDTSM23S5jCXnr-73fa/C=US/ST=California/L=Mountai                                                      n View/O=Geeknet, Inc./CN=*.svn.sourceforge.net
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
-----BEGIN CERTIFICATE-----
MIID/zCCAuegAwIBAgICYAowDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRgwFgYDVQQDEw9HZW9UcnVzdCBTU0wg
Q0EwHhcNMTEwMjAxMDMyNTEwWhcNMTIwMzA1MDQyMjU5WjCBnTEpMCcGA1UEBRMg
bXdIMWlFNGFJVVlJUmVEVFNNMjNTNWpDWG5yLTczZmExCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYD
VQQKEw1HZWVrbmV0LCBJbmMuMR4wHAYDVQQDDBUqLnN2bi5zb3VyY2Vmb3JnZS5u
ZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEL1CWlFziBYB9s66LC3imm
4aMVf08mjdzl5XgfFh4uAQlxhE8yJVW3172aQb+EzxNVNW4slNcCKT+Q1Tu/XVQ3
FKda2h5XZOzgh//dpVJ8J1P+rwT1FJoIz8rePLPXZy+fe9VlOFE+A3NF53XEtW+X
1RaRgrtp1AQNfuZDmQ0nAgMBAAGjggEnMIIBIzAfBgNVHSMEGDAWgBRCeVQbYc1V
Kz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMCAGA1UdEQQZMBeCFSouc3ZuLnNvdXJjZWZvcmdlLm5ldDA9
BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3RydXN0LmNvbS9j
cmxzL2d0c3NsLmNybDAdBgNVHQ4EFgQU4jZdMzJk8z9+OasjmBVXJlBJarEwDAYD
VR0TAQH/BAIwADBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9n
dHNzbC1haWEuZ2VvdHJ1c3QuY29tL2d0c3NsLmNydDANBgkqhkiG9w0BAQUFAAOC
AQEAZw6L/6zeNRWG3gi8qI5KCeBN2AD7udPdvhj/iCVvLnUdzxwwwoROH20ae7B4
HMmfsuJoQUO1I6LM8STQQ8j4cKAUSCCz//hcXdXLAMR4PNDnyFpT63DiQFegk14f
HIEkTuto/jDosNmNi7Tr4rG3lVfmzo50brDoUwedlfsoKa/ItFKF6M1ZTuaGALVt
parL1lKe17L+vTquthtbfEUeUPyhQV2A+5WhqIb4g95WN/emrnsUmXKW54csXpeU
BGyZVlvKUSZ9Nm6//x19pbRMKiaSfXs2nyPtS0bBKQ7TbnjCZtNaOVBvO8yBwR2d
AH0FZWl2FNa0PmGLiKSYXhXbwQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=mwH1iE4aIUYIReDTSM23S5jCXnr-73fa/C=US/ST=California/L=Moun                                                      tain View/O=Geeknet, Inc./CN=*.svn.sourceforge.net
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1598 bytes and written 319 bytes
---

The correct chain certificate can be obtained at http://gtssl-aia.geotrust.com/gtssl.crt

[dmex04]

I'm sure this is already noted on the subversion documentation.

"Subversion users may occasionally produce an error indicating that the SSL certificate issuer isn't trusted"

https://sourceforge.net/apps/trac/sourceforge/wiki/Subversion#ServerCertificateVerificationFailed

[montanaro]

Simply viewing the certificate in a web browser doesn't make it trusted. I tried Safari, Firefox and Chrome.
None accepted it.

[dmex04]

Makes sense, however you might be confused, Sourceforge do not configure the root cert on their server, its configured by the client, you must have the root certificate installed locally to be able to validate the chain, not the other way around ;)

The certificate I see when browsing my project's SVN does indeed show as legitimately verified by IE, FF and Chrome: https://processhacker.svn.sourceforge.net/svnroot/processhacker/ The certificate cached by my svn client also shows as valid.

The error from your validation log says: "verify error:num=20:unable to get local issuer certificate", that error is "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.".

If your machine does not have the GeoTrust root certificate installed or any other root certification authority, client software such as Safari, Firefox, Chrome, your SVN clients etc... will be unable to validate any certificate signed by Geotrust or any other Root Certification Authority.

Servers never tell clients where to find the root certificate, clients don't ever automatically download them, The only way Sourceforge's certificate is going to validate is if you install the Geotrust Root CA yourself or install your OS vendors updates.

[mookmoz]

SF is indeed missing the intermediate cert, as checked with the cert provider's checker. Firefox will work if you happen to visit a different site using the same intermediate cert first, since it caches the seen certs in its softoken.

[keaston]

Replying to dmex04:

Makes sense, however you might be confused, Sourceforge do not configure the root cert on their server, its configured by the client, you must have the root certificate installed locally to be able to validate the chain, not the other way around ;)

...

If your machine does not have the GeoTrust root certificate installed or any other root certification authority, client software such as Safari, Firefox, Chrome, your SVN clients etc... will be unable to validate any certificate signed by Geotrust or any other Root Certification Authority.

Servers never tell clients where to find the root certificate, clients don't ever automatically download them, The only way Sourceforge's certificate is going to validate is if you install the Geotrust Root CA yourself or install your OS vendors updates.

My machine has the "GeoTrust Global CA" certificate installed, which is the root CA certificate in question. However, the Sourceforge certificate is *not* directly signed by this certificate; it is signed by an intermediate certificate ("GeoTrust SSL CA"). The intermediate certificate is signed by the GeoTrust root certificate.

It is this intermediate certificate that must be provided by the server. For example, the Apache directive for this is SSLCertificateChainFile.

[keaston]

To summarise, the steps to fix the problem, if the host is running Apache, are:

• Download gtssl.crt from http://gtssl-aia.geotrust.com/gtssl.crt

• Convert from DER to PEM with: openssl x509 -inform der < gtssl.crt > gtssl-pem.crt

• Add a directive to Apache's config: SSLCertificateChainFile /path/to/gtssl-pem.crt

[andrewziem]

subscribe

[jberanek]

Appears to have a chain now (as far as I can tell with Firefox), but the Subversion client doesn't honour it?

[keaston]

Replying to jberanek:

Appears to have a chain now (as far as I can tell with Firefox), but the Subversion client doesn't honour it?

Firefox is not a good tool to use to check this, because it caches the intermediate "GeoTrust SSL CA" certificate when you access an unrelated site that *does* provide it, and then in future uses that to verify the site that doesn't. You can see the cached certificate in Firefox Options->Advanced->Encryption->View Certificates->Authorities. Note that the "GeoTrust SSL CA" certificate is present, and the Security Device is "Software Security Device", meaning that this is a certificate that Firefox has acquired, rather than a built-in one.

Use the GeoTrust checker applet posted by mookmoz above, or use openssl s_client and verify that two certificates are provided.

[jberanek]

keaston: Ohhhh, nasty. Indeed Chrome is not very happy about the certificate chain either.

[jberanek]

My temporary client-side fix is similar to your server-side fix, but adds the following lines to <subversion user dir>/servers:

[global]
ssl-authority-files = <path to PEM file>/gtssl.pem

[ctsai]

Greetings,

We've made the fix for this, and I've verified it on using geotrust's cert checker (thanks for the link mookmoz): https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557

Please confirm that you consider this fixed as well.

Thanks!
Chris Tsai, SourceForge.net Support

[jberanek]

Looks good here!

[bullet_catcher]

Commands such as "svn update" now work normally again, without any changes on my end. Thanks for adding the intermediate certificate on the server.

[keaston]

Confirming that it seems fixed to me too. Thanks Chris!

[ctsai]

Excellent great to hear confirmation for you guys. I'm just the messenger, it was ceverest who made the fix.

Anyway, since the fix is confirmed, I'm closing this ticket out.

Regards,
Chris Tsai, SourceForge.net Support