F9: How to remove a permanent SSL user/client certificate?

Daniel B. Thurman dant at cdkkt.com
Sun May 10 23:01:28 UTC 2009 

Daniel B. Thurman wrote:
> Craig White wrote:
>> On Fri, 2009-05-08 at 17:44 -0700, Daniel B. Thurman wrote:
>>  
>>> Sorry, I have looked on the Internet and have not
>>> figured out how to get rid of a permanent client/user
>>> certificate.  I am testing my Apache/SVN/SSL with
>>> a self-signed certificate and choose the permanent
>>> option, and I'd like to remove it for further testing.
>>>     
>> ----
>> remove from what?
>>
>> from server, you have a crl (certificate revocation list)
>>
>> from client, depends how/where you installed it
>>
>> Craig
>>   
> I was trying to setup and test my Apache/SVN/SSL setup, and
> I have for /etc/httpd/conf.d/subversion.conf:
>
> <VirtualHost 127.0.0.1:80>
>    ServerName gold.cdkkt.com
>    Redirect / https://gold.cdkkt.com/
> </VirtualHost>
> <VirtualHost gold.cdkkt.com:443>
>    #<Directory "/svn/svn">
>    #  Order allow,deny
>    #  Allow from 127.0.0 10.0.0
>    #</Directory>
>    ServerName  gold.cdkkt.com
>    ServerAdmin admin at cdkkt.com
>    CustomLog /svn/svn/Admin/logs/access.log combined
>    ErrorLog  /svn/svn/Admin/logs/error.log
>    SSLEngine on
>    SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
>    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>    <Location /svn>
>       AuthName "Subversion Repository"
>       DAV svn
>       SVNParentPath      /svn/svn
>       AuthUserFile       /svn/svn/Admin/apache/auth
>       AuthzSVNAccessFile /svn/svn/Admin/apache/authz
>       #<LimitExcept GET PROPFIND OPTIONS REPORT>
>       #    Order deny,allow
>       #    Deny from all
>       #    allow from 127.0.0 10.1.0.0/24
>       #</LimitExcept>        AuthType Basic
>       Require valid-user
>       #Satisfy any
>    </Location>
> </VirtualHost>
>
> And while I was testing, on the command line such as:
> # svn list https://gold.cdkkt.com/svn/svn1
>
> I was prompted to choose Reject, Temporary, or Permanent
> and I choose "p", and it moved on to asking for an SVN password,
> accepting it, and I got my SVN repository list.
> ==============================================
> $ svn list https://gold.cdkkt.com/svn/svn1
> Error validating server certificate for 'https://gold.cdkkt.com:443':
> - The certificate is not issued by a trusted authority. Use the
>   fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: gold.cdkkt.com
> - Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 
> 19:41:42 GMT
> - Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
> - Fingerprint: 
> 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> Authentication realm: <https://gold.cdkkt.com:443> Subversion 
> Repository @ Gold.cdkkt.com
> Password for 'dant':
> branches/
> tags/
> trunk/
> ==============================================
>
> The next time I ran this above command line again, I somehow
> got an error:
> ===============================================
> $svn list https://gold.cdkkt.com/svn/svn1
> Error validating server certificate for 'https://gold.cdkkt.com:443':
> - The certificate is not issued by a trusted authority. Use the
>   fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: gold.cdkkt.com
> - Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 
> 19:41:42 GMT
> - Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
> - Fingerprint: 
> 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
> (R)eject, accept (t)emporarily or accept (p)ermanently? p
> svn: PROPFIND request failed on '/svn/svn1'
> svn: PROPFIND of '/svn/svn1': 403 Forbidden (https://gold.cdkkt.com)
> ===============================================
>
> I am trying to understand what is going on: (1) why am I still getting
> prompted to choose the certificate (I thought is was permanent),
> and (2) no longer asked for the SVN password.  It is quite possible
> for (2), I screwed up the subversion.conf settings but can't quite
> find the problem.
>
> What is odd is, that if I uncomment `#Satisfy any' line, run the same
> exact command as above, I  don't get asked to verify the certs, don't
> get requested for the SVN password, and immediately get the the
> SVN listing.
>
> I did find some things in:
> ~/.subversion directory under the `auth' directories, and removed
> what I *think* where the certs were saved, but I cannot be certain,
> even so, nothing has changed.
>
> So, if the certificate was supposedly saved somewhere, where should
> it be located?  I checked the Keyrings, Browser-security - nothing.
>
> Dan
>
I found out why I was not able to get this to work.  Apparently,
I had a file in conf.d: system-config-httpd.conf, and removing
this file worked. I guess I added this in at some point.

I now have Apache/SVN/SSL working well.

More information about the fedora-list mailing list