F9: How to remove a permanent SSL user/client certificate?
Daniel B. Thurman
dant at cdkkt.com
Sun May 10 23:01:28 UTC 2009
Daniel B. Thurman wrote:
> Craig White wrote:
>> On Fri, 2009-05-08 at 17:44 -0700, Daniel B. Thurman wrote:
>>
>>> Sorry, I have looked on the Internet and have not
>>> figured out how to get rid of a permanent client/user
>>> certificate. I am testing my Apache/SVN/SSL with
>>> a self-signed certificate and choose the permanent
>>> option, and I'd like to remove it for further testing.
>>>
>> ----
>> remove from what?
>>
>> from server, you have a crl (certificate revocation list)
>>
>> from client, depends how/where you installed it
>>
>> Craig
>>
> I was trying to setup and test my Apache/SVN/SSL setup, and
> I have for /etc/httpd/conf.d/subversion.conf:
>
> <VirtualHost 127.0.0.1:80>
> ServerName gold.cdkkt.com
> Redirect / https://gold.cdkkt.com/
> </VirtualHost>
> <VirtualHost gold.cdkkt.com:443>
> #<Directory "/svn/svn">
> # Order allow,deny
> # Allow from 127.0.0 10.0.0
> #</Directory>
> ServerName gold.cdkkt.com
> ServerAdmin admin at cdkkt.com
> CustomLog /svn/svn/Admin/logs/access.log combined
> ErrorLog /svn/svn/Admin/logs/error.log
> SSLEngine on
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> <Location /svn>
> AuthName "Subversion Repository"
> DAV svn
> SVNParentPath /svn/svn
> AuthUserFile /svn/svn/Admin/apache/auth
> AuthzSVNAccessFile /svn/svn/Admin/apache/authz
> #<LimitExcept GET PROPFIND OPTIONS REPORT>
> # Order deny,allow
> # Deny from all
> # allow from 127.0.0 10.1.0.0/24
> #</LimitExcept> AuthType Basic
> Require valid-user
> #Satisfy any
> </Location>
> </VirtualHost>
>
> And while I was testing, on the command line such as:
> # svn list https://gold.cdkkt.com/svn/svn1
>
> I was prompted to choose Reject, Temporary, or Permanent
> and I choose "p", and it moved on to asking for an SVN password,
> accepting it, and I got my SVN repository list.
> ==============================================
> $ svn list https://gold.cdkkt.com/svn/svn1
> Error validating server certificate for 'https://gold.cdkkt.com:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: gold.cdkkt.com
> - Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019
> 19:41:42 GMT
> - Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
> - Fingerprint:
> 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> Authentication realm: <https://gold.cdkkt.com:443> Subversion
> Repository @ Gold.cdkkt.com
> Password for 'dant':
> branches/
> tags/
> trunk/
> ==============================================
>
> The next time I ran this above command line again, I somehow
> got an error:
> ===============================================
> $svn list https://gold.cdkkt.com/svn/svn1
> Error validating server certificate for 'https://gold.cdkkt.com:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: gold.cdkkt.com
> - Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019
> 19:41:42 GMT
> - Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
> - Fingerprint:
> 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> svn: PROPFIND request failed on '/svn/svn1'
> svn: PROPFIND of '/svn/svn1': 403 Forbidden (https://gold.cdkkt.com)
> ===============================================
>
> I am trying to understand what is going on: (1) why am I still getting
> prompted to choose the certificate (I thought is was permanent),
> and (2) no longer asked for the SVN password. It is quite possible
> for (2), I screwed up the subversion.conf settings but can't quite
> find the problem.
>
> What is odd is, that if I uncomment `#Satisfy any' line, run the same
> exact command as above, I don't get asked to verify the certs, don't
> get requested for the SVN password, and immediately get the the
> SVN listing.
>
> I did find some things in:
> ~/.subversion directory under the `auth' directories, and removed
> what I *think* where the certs were saved, but I cannot be certain,
> even so, nothing has changed.
>
> So, if the certificate was supposedly saved somewhere, where should
> it be located? I checked the Keyrings, Browser-security - nothing.
>
> Dan
>
I found out why I was not able to get this to work. Apparently,
I had a file in conf.d: system-config-httpd.conf, and removing
this file worked. I guess I added this in at some point.
I now have Apache/SVN/SSL working well.
More information about the users
mailing list