Project

General

Profile

Bug #5342

ant update hangs if the svn certificate changes (and possibly always hangs the first time)

Added by Christopher Brooks over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
build system
Target version:
Start date:
03/08/2011
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
5342

Description

I was doing "ant update" and the process hung while
updating build-area. I suspect that this issue will affect any
new developer who is trying to access the tree via subversion.

I hit ^C and then got info because code.kepler-project.org's certificate
was updated on 2/6/11

[update-modules] Updating build-area...
[update-modules] svn -r head update --accept postpone /Users/cxh/src/kepler/build-area
^C ^C[update-modules] Error validating server certificate for 'https://code.kepler-project.org:443':
[update-modules] - The certificate is not issued by a trusted authority. Use the
[update-modules] fingerprint to validate the certificate manually!
[update-modules] Certificate information:
[update-modules] - Hostname: *.kepler-project.org
[update-modules] - Valid: from Sun, 06 Feb 2011 17:59:18 GMT until Sat, 06 Feb 2016 17:59:18 GMT
[update-modules] - Issuer: 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, Inc., Scottsdale, Arizona, US
[update-modules] - Fingerprint: 07:91:ac:d8:58:c9:27:c3:4a:96:0d:23:87:cb:38:6a:6c:14:3f:7e
[update-modules] (R)eject, accept (t)emporarily or accept (p)ermanently? svn: OPTIONS of 'https://code.kepler-project.org/code/kepler/trunk/modules/build-area': Server certificate verification failed: issuer is not trusted (https://code.kepler-project.org)
[update-modules]

For details about svn and certificates, see
http://chess.eecs.berkeley.edu/ptexternal/wiki/Main/Subversion#svnCertficateIsNotIssuedByATrustedAuthority

brooksBuild.txt (25.9 KB) brooksBuild.txt Christopher Brooks, 08/03/2011 11:01 AM

History

#1 Updated by Christopher Brooks almost 8 years ago

ant update continues to fail on a new machine until the user
runs an svn command by hand.

Here's what happened.

I'm moving over to a new machine, so I copied my previous tree over.
When I did "ant update", the update hung

[update-modules] Using the head of ptolemy. Use 'ant update-ptolemy -Drev=stable' to work from the stable version.
[update-modules] svn -r head update --accept postpone /Users/cxh/src/kepler/ptolemy/src
[update-modules] At revision 61700.
[update-modules]
[update-modules] Updating build-area...
[update-modules] svn -r head update --accept postpone /Users/cxh/src/kepler/build-area

When I typed a control-C, I got:

[update-modules] Error validating server certificate for 'https://code.kepler-project.org:443'

The workaround is to run the command by hand and accept the certificate.

bash-3.2$ svn -r head update --accept postpone /Users/cxh/src/kepler/build-area
Error validating server certificate for 'https://code.kepler-project.org:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.kepler-project.org
- Valid: from Sun, 06 Feb 2011 17:59:18 GMT until Sat, 06 Feb 2016 17:59:18 GMT
- Issuer: 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, Inc., Scottsdale, Arizona, US
- Fingerprint: 07:91:ac:d8:58:c9:27:c3:4a:96:0d:23:87:cb:38:6a:6c:14:3f:7e
(R)eject, accept (t)emporarily or accept (p)ermanently? p
At revision 28180.
bash-3.2$

The nightly build should be changed so that this cached certificate is
removed and then the build system fixed so that the certificate is accepted.

This bug likely affects every new user of the Kepler devel tree.

#2 Updated by Daniel Crawl almost 8 years ago

Does this occur when you do a new checkout from a new machine or only when you copy an existing tree to a new machine?

#3 Updated by Christopher Brooks almost 8 years ago

Good point.
When the user first checks out build-area, they will be asked if they
want to accept the certificate. This will add the certificate as a file to
~/.subversion/auth/svn.ssl.server

The bug is that if the kepler tree is accessed from an account that does not
have the certificate saved, then "ant update" hangs. The mysterious
thing is that it hangs towards the end of the "ant update" process, apparently
the certificate is not needed earlier.

To replicate this, go to ~/.subversion/auto/svn.ssl.server/ and find
the file that contains "https://code.kepler-project.org:443" and remove
the file.

Then,
cd build-area
svn update

The build process will hang towards the end.

The fix is to run svn command by hand.

#4 Updated by Daniel Crawl almost 8 years ago

I cleaned out ~/.subversion/auth/*, but svn does not re-save the certificate. I also set store-auth-creds = yes in both ~/.subversion/{config,servers}. I remember being prompted in the past to save the certificate, but cannot get svn to do that now.

I am using svn 1.6.16 on my mac. I also have the same behavior on svn 1.6.17 on linux.

Which version of svn do you have?

I noticed svn has:

--trust-server-cert : accept unknown SSL server certificates without prompting (but only with '--non-interactive')

If your svn has this option, does it accept the new certificate without prompting?

svn --trust-server-cert --non-interactive update build-area

If this works, we could add these options to the build system. A disadvantage then is that the build system will blindly accept any certificate.

#5 Updated by Christopher Brooks almost 8 years ago

The attachment contains a run that illustrates the bug.

I'm running Mac OS 10.7 and SVN 1.6.16. The SVN came from XCode 3.2.6.
(Sadly, Apple is charging $5 for XCode 4)

What's interesting is that the problem seems to only occur when updating
the build-area.

I agree that blindly accepting certificates might not be the best call.
A better fix would be to print stderr as it comes over the wire from
the svn run so that the user knows something is amiss. Hitting Control-C
sometimes prints an error message, sometimes does not.

#6 Updated by Daniel Crawl almost 8 years ago

Fixed in r28185.

Subversion appears to only save certificates locally if the signing authority is not trusted by the local machine. After I removed the authorities that signed the certificate for code.kepler-project.org from the list of trusted authorities, svn prompted me to save the certificate.

You can see the signing authorities:

openssl s_client -connect code.kepler-project.org:443 -prexit

This only occurs for build-area since that is the only resource checked out using https. Perhaps the other modules and Ptolemy should use https as well.

#7 Updated by Christopher Brooks almost 8 years ago

Thanks, that worked. I now get:

[update-modules] Updating build-area...
[update-modules] svn -r head update --accept postpone /Users/cxh/src/kepler/build-area
[update-modules] Error validating server certificate for 'https://code.kepler-project.org:443':
[update-modules] SVN server certificate could not be validated.
[update-modules] The command must be run by hand:
[update-modules] svn -r head update --accept postpone /Users/cxh/src/kepler/build-area
[update-modules] Ivy...

#8 Updated by Redmine Admin over 6 years ago

Original Bugzilla ID was 5342

Also available in: Atom PDF