Avoiding "Server certificate verification failed"

I just learned something I thought I'd share (and read into the  
archives).

When you use Subversion (including SCPlugin) to talk to a repository  
server that uses https://... URLs, you usually see this error message:

> PROPFIND of '/blah/blah': Server certificate verification failed:  
> issuer is not trusted (https://blah/blah)

This may happen enven though your browser can visit that site without  
complaining.  The problem here is that  OpenSSL (which is used by  
Subversion, which is used by SCPlugin) needs a list of "Certifying  
Authorities" that you trust, so it knows whether your server's  
certificate really is valid: you don't want to connect to just any  
host *claiming* to be your server!

Mac OS X comes with such a list, and your browser uses it, and that's  
why the browser has no trouble, here.  But Mac OS X doesn't keep it in  
the place that OpenSSL looks for it.  (OS X is using its Keychain  
feature, which is in many ways really cool, but it would certainly be  
nice if they'd also wire OpenSSL up to it!).

Our standard advice is to use a command-line tool to "accept the  
server certificate permanently."  That advice works fine, and if you  
only have one such server, maybe that advice is all you need.  But if  
you have a lot of such servers, it might be easier to follow these  
instructions, which I found at

   http://www.madboa.com/geek/pine-macosx/

OS X ships with a full OpenSSL installation and it ships with public  
certificates from recognized CAs. The problem is that Unix  
applications compiled against the OpenSSL libraries (like Alpine)  
cannot make use of those certificates. You’ll need to export them  
from the system keychain in order to make them available to Alpine.

        • Open the Keychain Access application and choose the System Roots  
keychain. Select the Certificates category and you should see 100 or  
more certificates listed in the main panel of the window.
        • Click your mouse on any of those certificate entries and then  
select them all with Edit → Select All (Cmd+A).
        • Once the certificates are all highlighted, export them to a file:  
File →Export Items…. Use “cert” as the filename and make sure  
“Privacy Enhanced Mail (.pem)” has been chosen as the file format.
        • Copy the newly created cert.pem into the/System/Library/OpenSSL  
directory.


I'm pondering how to add that to the SCPlugin installer, but it turns  
out to be ever so slightly trickier than it looks (don't they all?).

-==-
Jack Repenning
jackrepenning@...
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

These instructions seem quite helpful, but I wonder if they are still correct for newer versions of OSX and OpenSSL.  In the OpenSSL folder in Library, there is now a certs folder.  Should teh exported certs be put in that folder, or at the same level as that folder.

FWIW - neither seems to solve the problem onm my machine.

------------------------------------------------------
http://scplugin.tigris.org/ds/viewMessage.do?dsForumId=1525&dsMessageId=2369875

To unsubscribe from this discussion, e-mail: [users-unsubscribe@...].

There was "always" a certs/ folder in any version I ever tried this on, but the directions as given worked for me.

Are you sure you're getting exactly the message quoted in the original? There are several very similar-sounding error messages in SSL, with very different fixes!

------------------------------------------------------
http://scplugin.tigris.org/ds/viewMessage.do?dsForumId=1525&dsMessageId=2369939

To unsubscribe from this discussion, e-mail: [users-unsubscribe@...].