Home/ Questions/Q 3324116
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T23:22:59+00:00

When running svn against our svn server I’m getting this error (domain name and

  • 0

When running svn against our svn server I’m getting this error (domain name and fingerprint edited):

Error validating server certificate for 'https://svn.example.org:443':
  - The certificate has expired.
  - The certificate has an unknown error.
Certificate information:
  - Hostname: mail.example.org
  - Valid: from Fri, 24 Sep 2010 13:05:10 GMT until Wed, 09 Feb 2011
15:24:52 GMT
  - Issuer: 07969287, http://certificates.godaddy.com/repository,
GoDaddy.com, Inc., Scottsdale, Arizona, US
  - Fingerprint: 00:e5:....
(R)eject or accept (t)emporarily? t

So one error says it has expired, and a few lines later it says the expiry date is 2011. And then there is an unknown error. This is svn 1.6 – older versions had an accept permanently option.

I’ve also tried running openssl s_client to check the certificate:

openssl s_client -host svn.example.org -port 443 -verify 5 -CApath /etc/ssl/certs

And amongst other output I get:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7604...
    Session-ID-ctx: 
    Master-Key: 22AB...
    Key-Arg   : None
    Compression: 1 (zlib compression)
    Start Time: 1288804434
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Which suggests that SSL is set up properly.

The only thing I can think of is that we’re using a multi-domain certificate, with mail.example.org being the subject CN and svn.example.org being listed in the subjectAltName section.

This is affecting a number of people, and I don’t want our clients to have to deal with this, so I’d really like a solution that makes this error go away rather than just fixing it for me. Any help appreciated.

Edit: I can load https://svn.example.org/ in my web browser and it doesn’t complain. I can view the certificate hierarchy through the web browser and none of the certificates in the chain have expired.

I’ve checked ldd svn as suggested by Bruno, and it is linked against libgnutls, while openssl is linked against libssl. Is there an equivalent to the s_client command using libgnutls?

Edit2: (So it’s easy to find for later people). svn uses the gnutls library rather than the ssl library, and gnutls is more strict than ssl. So in order to see the error, you need to use gnutls-cli. In my case, gnutls didn’t like the order of certificates, even though they are all there. See the link before for more details.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not sure if it will fix your problem, but there’s an ssl-authority-files option you can configure in ~/.subversion/servers (you can limit it to certain hosts if you want, I think).

    In addition, it’s possible that your version of svn is linked against another library than OpenSSL for its SSL/TLS stack, for example GnuTLS (this should be visible using ldd on the svn binary).

    (Have you checked whether the CA certificate may have expired, rather than the server certificate itself?)

    • 0