Unable to relocate to new svn URL

Kevin Oberman rkoberman at gmail.com
Wed Aug 5 22:07:05 UTC 2015

On Wed, Aug 5, 2015 at 1:21 PM, Dimitry Andric <dim at freebsd.org> wrote:

> On 05 Aug 2015, at 22:05, Kevin Oberman <rkoberman at gmail.com> wrote:
> >
> > Today I decided to relocate my ports source from the old specific mirror
> to
> > the new svn.freebsd.org. Seemed like just one easy command, but not
> quite.
> >
> > First, if subversion is built with the default options, it will refuse to
> > do https:// with the confusing message that the URL format was not
> > recognized. I checked and my svn was notbuilt with SASL. SASL is not on
> by
> > default. So I rebuilt subversion and now it likes the command, but won't
> > accept the certificate:
> > Error validating server certificate for 'https://svn.freebsd.org:443':
> > - The certificate is not issued by a trusted authority. Use the
> >   fingerprint to validate the certificate manually!
> > Certificate information:
> > - Hostname: svn.freebsd.org
> > - Valid: from Jun 22 00:00:00 2015 GMT until Jun 22 23:59:59 2016 GMT
> > - Issuer: Gandi, Paris, Paris, FR
> > - Fingerprint:
> E9:37:73:80:B5:32:1B:93:92:94:98:17:59:F0:FA:A2:5F:1E:DE:B9
> > (R)eject, accept (t)emporarily or accept (p)ermanently?
> >
> > Indeed, it does not appear that Gandi is on the certificate.txt. file
> > installed by ca_root_nss.
> Not directly, the Gandi Standard SSL CA 2 certificate is issued by the
> following root CA:
> Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
> Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network,
> CN=USERTrust RSA Certification Authority
> > Is this a problem with the ca_root_nss port, the certificate, of is
> > something hacked? Clearly, I am not about to trust the certificate as it
> > now stands.
> Which version of ca_root_nss do you have?  Mine is 3.19.1_1, and it
> definitely has the above root CA in /etc/ssl/cert.pem.
> -Dimitry

Thanks for the quick response! I'm still confused, though.

I have 3.19.2, so it is just a bit newer. But I don't have
/etc/ssl/cert.pem. The root certs are installed in
/usr/local/share/certs/ca-root-nss.crt. Is something required to get them
into /etc/ssl? I confirm that the fingerprints match.

Also, the handbook needs a bit of work. It shows the use of svn.freebsd.org,
but the text just prior to the example still talks about " the western US
repository". Later text discuses the GeoDNS and svn.frebsd.org. (Yes, this
is nit-picking.)

Any idea why my use of SVN is complaining? Now that I have verified the
fingerprint, I can go on and accept the cert, but why is this happening and
will it bite others?
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

More information about the freebsd-ports mailing list