Certificate for svn.cct.lsu.edu not trusted

Create issue
Issue #1783 closed
Ian Hinder created an issue

The certificate for svn.cct.lsu.edu was just replaced (8th June), but the replacement certificate is widely recognised.

Error validating server certificate for 'https://svn.cct.lsu.edu:443':
- The certificate is not issued by a trusted authority. Use the
  fingerprint to validate the certificate manually!
Certificate information:
- Hostname: svn.cct.lsu.edu
- Valid: from Jun  9 00:00:00 2015 GMT until Jun 25 23:59:59 2018 GMT
- Issuer: InCommon, Internet2, Ann Arbor, MI, US
- Fingerprint: 0E:DA:45:7D:98:10:B1:96:6C:F4:48:86:85:A9:76:31:2D:A3:09:B6
Certificate problem.
(R)eject, accept (t)emporarily or accept (p)ermanently? Server SSL certificate untrusted: Unable to connect to a repository at URL 'https://svn.cct.lsu.edu/repos/numrel/LSUThorns/CPUID': Server SSL certificate verification failed: issuer is not trusted at /usr/share/perl5/Git/SVN.pm line 148.

https://www.sslshopper.com/ssl-checker.html#hostname=svn.cct.lsu.edu

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

One of the certificates is signed with a SHA1 signature. We recommend that you reissue or replace this certificate with one that uses a SHA-2 signature. Contact your SSL provider about how to do this. Read more about the SHA-1 deprecation here.

This is blocking the build and test system, because the repositories aren't being updated due to this error.

Keyword:

Comments (12)

  1. Roland Haas
    • removed comment

    This has become a recurring issue with the certificates. Since we only use svn for ExternalLibraries and LSUThorns anymore, would it be possible to migrate LSUThorns to bitbucket and ExternalLibraries to github. The latter because github allows svn access to git repositories (See https://github.com/blog/966-improved-subversion-client-support), ie:

     svn checkout https://github.com/rhaas80/Outflow
    

    works fine on the jenkins test machine.

  2. Roland Haas
    • removed comment

    This is also happening to svn.einsteintoolkit.org. https://www.sslshopper.com/ssl-checker.html#hostname=svn.einsteintoolkit.org

    This has become a recurring issue with the certificates. Since we only use svn for ExternalLibraries and LSUThorns anymore, would it be possible to migrate LSUThorns to bitbucket and ExternalLibraries to github. The latter because github allows svn access to git repositories (See https://github.com/blog/966-improved-subversion-client-support), ie:

    svn checkout https://github.com/rhaas80/Outflow

    works fine on the jenkins test machine.

  3. Frank Löffler
    • removed comment

    There are a lot of certs being changed at LSU right now (because they would expire in about two weeks). You have to break an egg to make an omelette (apparently similar to "Wo gehobelt wird fallen Spaehne).

    Regarding external libs using git: not unless we distribute the actual library in a different way. Developers still would (need to) have a git checkout, because I very much doubt I could commit to the svn-git bridge.

  4. Roland Haas
    • removed comment

    Are there any other certificates (or servers) hosted by LSU? In that case could someone follow up on this to make sure that they all get fixed? It seems as if we are not some much getting an omelette out of of this. I get the impression that each time that the certificates are up for renewal something else fails (at least its not the same thing each time, so the system learns :-) ).

    Developers still would (need to) have a git checkout, because I very much doubt I could commit to the svn-git bridge. I turns out one can (surprisingly). I just tested this. Both modifying existing files and adding new ones works through the svn brigde. See https://github.com/rhaas80/test .

    Github also lets you (similar to bitbucket) download a given revision as a tarball, via:

    wget https://github.com/rhaas80/test/archive/c6f710ab83274fe9ea72762894cab81a27053e20.tar.gz
    

    so we could just track the actual source code in the repo (makes a git checkout for developers smaller) and have the users get either just a tarball via this method or via svn.

  5. Frank Löffler
    • removed comment

    Thanks for reporting: fixed. I am the one who follows up, and assuming I can do it myself or I can get hold of the person that does it here at CCT this is an issue of minutes. And yes - the system learns.

  6. Roland Haas
    • removed comment

    Has there been any progress on this? As far as I remember Frank used to take care of the other two certificates and given that he is away, is there a chance that this is fixed by someone else local to LSU?

  7. Frank Löffler
    • changed status to resolved
    • removed comment

    Done. Somehow I missed this subdomain, and my firefox (31) doens't complain, so I didn't notice.

  8. Log in to comment