Opened 11 years ago

Closed 11 years ago

#43344 closed defect (fixed)

Server certificate not trusted on buildslaves

Reported by: ryandesign (Ryan Carsten Schmidt) Owned by: skarulkar@…
Priority: Normal Milestone:
Component: server/hosting Version:
Keywords: Cc: mojca (Mojca Miklavec)
Port:

Description

The Lion, Mountain Lion and Mavericks buildslaves are not building anything since the certificates changed to fix the heartbleed bug:

svn: E175002: Unable to connect to a repository at URL 'https://svn.macports.org/repository/macports/contrib/mpab'
svn: E175002: OPTIONS of 'https://svn.macports.org/repository/macports/contrib/mpab': Server certificate verification failed: issuer is not trusted (https://svn.macports.org)

The new certificates need to be manually accepted once on each of those three buildslaves. We just went through this recently when we switched ssl providers so hopefully we still remember the process:

comment:ticket:42727:10

Change History (4)

comment:1 Changed 11 years ago by mojca (Mojca Miklavec)

Cc: mojca@… added

Cc Me!

comment:2 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Also, from the Subversion and Heartbleed announcement today, you should manually remove the old certificate from the list of accepted certificates:

On Apr 12, 2014, at 21:08, Ben Reser <breser at apache dot org> wrote:

If you have already trusted certificates that are now revoked you will also need to remove them from your authentication store for Subversion. This will be stored under ~/.subversion/auth/svn.ssl.server or %APPDATA%\Subversion\auth\svn.ssl.server. You can delete the entire directory to remove all accepted certificates or just delete specific files within the directory to remove just those certs. The files are simply text files containing some data, you should be able to read them to locate the specific keys you which to remove.

In fact, probably every user running Lion or newer should be doing that as well... We may need to announce that.

comment:3 in reply to:  2 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Replying to ryandesign@…:

In fact, probably every user running Lion or newer should be doing that as well... We may need to announce that.

Well, every user accessing the MacPorts subversion repository. So primarily developers, although some users may be using subversion working copies to get around rsync restrictions on their network.

comment:4 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: fixed
Status: newclosed

In the mean time, the certificates have been accepted and the buildslaves are working fine.

Note: See TracTickets for help on using tickets.