Centos Linux 7.9

Adding @Jung Yi<mailto:jung.j...@gsk.com>

Stanley Gilliam
System Administrator
14200 Shady Grove Rd
Rockville, MD 20850

From: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>
Sent: Monday, March 25, 2024 11:17 AM
To: noloa...@gmail.com
Cc: Stanley Gilliam <stanley.x.gill...@gsk.com>; users@subversion.apache.org
Subject: Re: SVN does not trust cert

Den mån 25 mars 2024 kl 15: 19 skrev Jeffrey Walton <noloader@ gmail. com>: On 
Mon, Mar 25, 2024 at 9: 54 AM Stanley Gilliam via users <users@ subversion. 
apache. org> wrote: > > I am a system admin for GlaxoSmithKline. We are 

Den mån 25 mars 2024 kl 15:19 skrev Jeffrey Walton 
On Mon, Mar 25, 2024 at 9:54 AM Stanley Gilliam via users
<users@subversion.apache.org<mailto:users@subversion.apache.org>> wrote:
> I am a system admin for GlaxoSmithKline. We are currently having issues 
> getting our svn instance to authenticate. This all happened after the cert 
> was updated. We are currently getting the message :
> svn: E175002: OPTIONS of 'https://hpc.gsk.com/xxx/xxx/etc': Server 
> certificate verification failed: issuer is not trusted (https://hpc.gsk.com)
> The cert was updated correctly we believe because the website works.
> is there anybody that may be able to help?

DNS seems to be a problem:

$ openssl s_client -connect hpc.gsk.com:443<http://hpc.gsk.com:443> -servername 
40D7F6E4F1710000:error:10080002:BIO routines:BIO_lookup_ex:system
lib:../crypto/bio/bio_addr.c:738:Name or service not known


$ nslookup hpc.gsk.com<http://hpc.gsk.com>

** server can't find hpc.gsk.com<http://hpc.gsk.com>: NXDOMAIN

You should add a DNS entry for the host 'hpc'. Then, rerun the experiment.

It might be that the hpc.gsk.com<http://hpc.gsk.com> domain is only available 
on an internal network (ie, on an internal DNS server). If there was a missing 
DNS entry you should get an error message similar to this:

$ svn ls https://hpc.gsk.com
svn: E170013: Unable to connect to a repository at URL 'https://hpc.gsk.com'
svn: E670002: Name or service not known

(The missing DNS entry makes it more difficult for someone outside of the 
company to help in debugging of course!).

"issuer is not trusted" sounds to me like it is a self-signed certificate or 
that the certificate is signed by a root that isn't trusted by the client. Can 
you verify that the client really trust the issuer of the certificate?

Another potential explanation (although not supported by the available 
evidence) is that there is a mismatch between the cipher of the new certificate 
compared to what OpenSSL on the client is supporting.

Which platform are you on and what are the versions of Subversion and the 
linked OpenSSL library?

Kind regards,

GSK monitors email communications sent to and from GSK in order to protect GSK, 
our employees, customers, suppliers and business partners, from cyber threats 
and loss of GSK Information. GSK monitoring is conducted with appropriate 
confidentiality controls and in accordance with local laws and after 
appropriate consultation.

Reply via email to