Bug 210332

Summary: Certificate change for svn.freebsd.org ?
Product: Documentation Reporter: bhs_bsd
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed Not A Bug    
Severity: Affects Only Me CC: crees
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description bhs_bsd 2016-06-16 20:01:14 UTC 
Attempting to update the source tree via svn from svn.freebsd.org fails this afternoon, but worked up through this morning. The ports tree still succeeds. The security/ca_root_nss port is installed and current (3.22.2). The certificate shown doesn't match any of the deprecated server names listed in the handbook, either. Output:

alum:/usr/src$sudo svnlite up .
Updating '.':
Error validating server certificate for 'https://svn.freebsd.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: svn.freebsd.org
 - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT
 - Issuer: Gandi, Paris, Paris, FR
 - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE
(R)eject, accept (t)emporarily or accept (p)ermanently?
Comment 1 bhs_bsd 2016-06-18 04:55:38 UTC 
Thanks to Dimitry Adric on the freebsd-stable mailing list, I solved the verification with 

sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Probably a step I missed when installing security/ca_root_nss.

The handbook should probably still be updated for those who manually verify or need svn to install ca_root_nss in the first place. For that reason, I'm changing the product for this report to "Documentation."
Comment 2 bhs_bsd 2016-06-18 04:58:43 UTC 
The relevant section in the handbook is "A.3.6 Subversion Mirror Sites."
Comment 3 Remko Lodder freebsd_committer freebsd_triage 2016-06-18 09:09:51 UTC 
Back to the documentation team, this is not something strictly for the security team.
Comment 4 Chris Rees freebsd_committer freebsd_triage 2019-04-07 18:42:52 UTC 
I'm guessing you didn't have the ETCSYMLINK option on for ca_root_nss, but nowadays it's on by default (since June 2015 r388657).  I'm puzzled as to how it happened to you without you deliberately turning it off, but I think this is probably a case of user error.  I don't see a problem with the docs now.