Re: F9: How to remove a permanent SSL user/client certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel B. Thurman wrote:

Craig White wrote:

On Fri, 2009-05-08 at 17:44 -0700, Daniel B. Thurman wrote:

Sorry, I have looked on the Internet and have not
figured out how to get rid of a permanent client/user
certificate.  I am testing my Apache/SVN/SSL with
a self-signed certificate and choose the permanent
option, and I'd like to remove it for further testing.

----
remove from what?

from server, you have a crl (certificate revocation list)

from client, depends how/where you installed it

Craig

I was trying to setup and test my Apache/SVN/SSL setup, and
I have for /etc/httpd/conf.d/subversion.conf:

<VirtualHost 127.0.0.1:80>
   ServerName gold.cdkkt.com
   Redirect / https://gold.cdkkt.com/
</VirtualHost>
<VirtualHost gold.cdkkt.com:443>
   #<Directory "/svn/svn">
   #  Order allow,deny
   #  Allow from 127.0.0 10.0.0
   #</Directory>
   ServerName  gold.cdkkt.com
   ServerAdmin admin@xxxxxxxxx
   CustomLog /svn/svn/Admin/logs/access.log combined
   ErrorLog  /svn/svn/Admin/logs/error.log
   SSLEngine on
   SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   <Location /svn>
      AuthName "Subversion Repository"
      DAV svn
      SVNParentPath      /svn/svn
      AuthUserFile       /svn/svn/Admin/apache/auth
      AuthzSVNAccessFile /svn/svn/Admin/apache/authz
      #<LimitExcept GET PROPFIND OPTIONS REPORT>
      #    Order deny,allow
      #    Deny from all
      #    allow from 127.0.0 10.1.0.0/24
      #</LimitExcept>        AuthType Basic
      Require valid-user
      #Satisfy any
   </Location>
</VirtualHost>

And while I was testing, on the command line such as:
# svn list https://gold.cdkkt.com/svn/svn1

I was prompted to choose Reject, Temporary, or Permanent
and I choose "p", and it moved on to asking for an SVN password,
accepting it, and I got my SVN repository list.
==============================================
$ svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
  fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 19:41:42 GMT 
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88 
(R)eject, accept (t)emporarily or accept (p)ermanently? p
Authentication realm: <https://gold.cdkkt.com:443> Subversion Repository @ Gold.cdkkt.com 
Password for 'dant':
branches/
tags/
trunk/
==============================================

The next time I ran this above command line again, I somehow
got an error:
===============================================
$svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
  fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 19:41:42 GMT 
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88 
(R)eject, accept (t)emporarily or accept (p)ermanently? p
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 403 Forbidden (https://gold.cdkkt.com)
===============================================

I am trying to understand what is going on: (1) why am I still getting
prompted to choose the certificate (I thought is was permanent),
and (2) no longer asked for the SVN password.  It is quite possible
for (2), I screwed up the subversion.conf settings but can't quite
find the problem.

What is odd is, that if I uncomment `#Satisfy any' line, run the same
exact command as above, I  don't get asked to verify the certs, don't
get requested for the SVN password, and immediately get the the
SVN listing.

I did find some things in:
~/.subversion directory under the `auth' directories, and removed
what I *think* where the certs were saved, but I cannot be certain,
even so, nothing has changed.

So, if the certificate was supposedly saved somewhere, where should
it be located?  I checked the Keyrings, Browser-security - nothing.

Dan


I found out why I was not able to get this to work.  Apparently,
I had a file in conf.d: system-config-httpd.conf, and removing
this file worked. I guess I added this in at some point.

I now have Apache/SVN/SSL working well.


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux