RE: SVN does not trust cert

Stanley Gilliam via users Mon, 25 Mar 2024 09:11:08 -0700

Adding @Jung Yi

Stanley Gilliam
System Administrator
GSK
14200 Shady Grove Rd
Rockville, MD 20850
678-548-7768


-----Original Message-----
From: Stanley Gilliam <stanley.x.gill...@gsk.com>
Sent: Monday, March 25, 2024 11:55 AM
To: noloa...@gmail.com
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org
Subject: RE: SVN does not trust cert

Ok,

I apologize for the miscommunication. Here is the output from the openssl 
command:

[I am root!@uptus060-1:conf.d]# openssl s_client -connect hpc.gsk.com:443
CONNECTED(00000003)
depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, 
OU = SRCA, CN = hpc.gsk.com, emailAddress = scientific_computing_supp...@gsk.com
verify error:num=20:unable to get local issuer certificate verify return:1
depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, 
OU = SRCA, CN = hpc.gsk.com, emailAddress = scientific_computing_supp...@gsk.com
verify error:num=21:unable to verify the first certificate verify return:1
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
   i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
/bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
GzKWlw6feJiNivlqBH1QwP39
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith 
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2341 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 
2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F8C2904FEE4CA89D0F03B21E4D8E16B120419D3F0737265AAC27452DD5BAD62E
    Session-ID-ctx:
    Master-Key: 
4D6D3D158228C520B36FF399795D8B847ADF21E2559CDB3EC0CDE8E8AF322B1397B9531598C5CA1215385F6CE8113248
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 fa b8 44 6b 0f fe 61-e5 14 06 66 19 9d 0e 73   3..Dk..a...f...s
    0010 - 8f 06 54 21 20 97 7d ac-2c c4 12 91 c8 c0 c7 7f   ..T! .}.,.......
    0020 - 09 8a c8 13 0a 58 fc 16-e2 f3 96 67 c6 d6 d5 58   .....X.....g...X
    0030 - ab 60 47 fc 66 22 17 8b-04 73 fd 2d a5 62 c4 35   .`G.f"...s.-.b.5
    0040 - e8 dc 3a a9 e6 37 ba 2a-ea 05 0d ea fb 5a 01 80   ..:..7.*.....Z..
    0050 - 88 9e 6a 5d 7b ae 21 8f-89 32 af ae 0c 52 20 27   ..j]{.!..2...R '
    0060 - 2f 1b 8e ae 18 82 54 c0-ee e4 b9 bb 1e 71 be db   /.....T......q..
    0070 - c3 0e 36 9f 0b ce a4 2e-be dc 1d 3f 10 01 08 71   ..6........?...q
    0080 - ae 74 b1 d4 1f ce 46 a3-94 54 93 ad 67 4a 72 15   .t....F..T..gJr.
    0090 - 93 5a 46 0c 84 35 f2 b6-7e 2d 7a 07 b5 7a ca 47   .ZF..5..~-z..z.G
    00a0 - 88 8f 1a fa 78 cc 49 26-12 26 54 0d 27 5d f6 a3   ....x.I&.&T.']..
    00b0 - 43 d1 2b 7d c6 6f b9 19-32 a8 56 35 9a 1c 31 97   C.+}.o..2.V5..1.

    Start Time: 1711376647
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
:q!
HTTP/1.1 400 Bad Request
Date: Mon, 25 Mar 2024 14:24:13 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br /> 
</p> </body></html>
read:errno=0


I updated the cert here :


[I am root!@uptus060-1:~]# cd /etc/pki/tls/certs/ [HPC Admin Host] [I am 
root!@uptus060-1:certs]# ll total 44
-rw-r--r-- 1 root root 2290 Mar 25 08:53 ca.2048.crt
lrwxrwxrwx 1 root root   49 Jul 11  2020 ca-bundle.crt -> 
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root   55 Jul 11  2020 ca-bundle.trust.crt -> 
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

lrwxrwxrwx 1 root root   32 Mar 25 08:54 com.gsk.hpc-2048.crt -> 
uptus060-1.corpnet2.com.crt.2024


-rw-r----- 1 root root 1688 Mar 15  2018 com.gsk.hpc-2048.crt~
-rw------- 1 root root 1476 Nov 19  2018 localhost.crt -rwxr-xr-x 1 root root  
610 Aug  8  2019 make-dummy-cert
-rw-r--r-- 1 root root 2516 Aug  8  2019 Makefile -rwxr-xr-x 1 root root  829 
Aug  8  2019 renew-dummy-cert
-rw-r--r-- 1 root root 1497 Apr 25  2021 rsyslog-ca.pem
-rw-r--r-- 1 root root 1472 Apr 25  2021 rsyslog-cert.pem
-rw-r--r-- 1 root root 2290 Mar 25 08:54 uptus060-1.corpnet2.com.crt.2024

Using the key here :
(private.key)

[I am root!@uptus060-1:private]# ll
total 28
-rw-r--r-- 1 root root 1200 Mar 19 10:24 com.corpnet2.uptus060-1.csr
-rwx------ 1 root root 3160 Mar 15  2018 com.gsk.hpc-2048.pem
-rw------- 1 root root 1679 Mar  8  2018 com.gsk.hpc.key.selfsigned
-rw------- 1 root root 1675 Mar  8 11:50 localhost.key
-rw-r--r-- 1 root root 1679 Mar  8 12:31 private.key
-rw------- 1 root root 5816 Apr 25  2021 rsyslog-key.pem

Stanley Gilliam
System Administrator
GSK
14200 Shady Grove Rd
Rockville, MD 20850
678-548-7768

-----Original Message-----
From: Jeffrey Walton <noloa...@gmail.com>
Sent: Monday, March 25, 2024 11:42 AM
To: Stanley Gilliam <stanley.x.gill...@gsk.com>
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org
Subject: Re: SVN does not trust cert

On Mon, Mar 25, 2024 at 11:34 AM Stanley Gilliam <stanley.x.gill...@gsk.com> 
wrote:
>
> So we use appview to update our certificates and our cert team confirmed that 
> the cert was updated correctly. Is there another way to possibly verify this. 
> There may also be something to the second option, I am on a linux RH OS. Is 
> there a way someone could jump on a short call with us?

We don't know what the certificate chain or the end entity certificate looks 
like. You have not described it, and you have not posted the output of the 
openssl command. For me, it is not clear what has been done to the server 
(replaced an end entity certificate?) and what has been done to a typical 
client (nothing because the PKI has not
changed?)

At this point, all folks can do is guess.

Jeff
GSK monitors email communications sent to and from GSK in order to protect GSK, 
our employees, customers, suppliers and business partners, from cyber threats 
and loss of GSK Information. GSK monitoring is conducted with appropriate 
confidentiality controls and in accordance with local laws and after 
appropriate consultation.

RE: SVN does not trust cert

Reply via email to