1

I had a working setup of Apache, Redmine (3.3.2.stable) as well as Subversion (1.6.17); the server is a Mac OS X 10.6.8 Snow Leopard. Security concerns prompted us to change the server protocol to HTTPS, so we signed with our certificate authority. So that's all running, and all webpages now are served over HTTPS, except for the SVN repository.

Trying to check out from the original HTTTP SVN yields this:

svn co http://my.domain/svn/repos .
svn: E175011: Unable to connect to a repository at URL 'http://my.domain/svn/repos'
svn: E175011: Repository moved temporarily to 'https://my.domain/svn/repos'; please relocate

So I guess that's fair enough, since technically it was indeed relocated. Trying the same command with the HTTPS option gives me this, though:

svn co https://my.domain/svn/repos .
Error validating server certificate for 'https://my.domain:443':
- The certificate is not issued by a trusted authority. 
Use the fingerprint to validate the certificate manually!
Certificate information:
- Hostname: my.domain
- Valid: from Apr 26 13:22:21 2017 GMT until Jul  9 23:59:00 2019 GMT
- Issuer: CA, DE(ca@my-ca-auth.de)
- Fingerprint: ...
(R)eject, accept (t)emporarily or accept (p)ermanently? t
Authentication realm: <https://my.domain:443> Redmine SVN Repository
Password for 'admin':

And that's also fine, except it doesn't accept any of the Redmine User accounts (or the local system accounts, for that matter). For what it's worth, I give you the relevant part of the server log:

[Tue May 09 14:38:12 2017] [error] "DAV Off" cannot be used to turn off a subtree of a DAV-enabled location.
[Tue May 09 14:38:12 2017] [error] [client IP] mod_auth_apple: User admin: authentication failure for "/svn": User not found by checkpw
[Tue May 09 14:38:12 2017] [error] [client IP] mod_auth_apple: User admin: authentication failure for "/svn": User not found in htaccess file

Hopefully someone has tried doing something like this on a Mac server before. Ideally, I'd like step-by-step instructions on how to change the SVN server setup from HTTP to HTTPS; this at least must be somewhere out there (I just haven't found anything so far). Thanks for any pointers.

EDIT: I paste the relevant code from httpd.conf below:

#this handles SVN authentication through Redmine DB
# /svn location for users
PerlLoadModule Apache::Redmine
<Location "/svn">
DAV Off
SVNParentPath "/usr/local/svn"
Order deny,allow
Deny from all
Satisfy any
# If a client tries to svn update which involves updating many files,
# the update request might result in an error Server sent unexpected
# return value (413 Request  Entity Too Large) in response to REPORT
# request,because the size of the update request exceeds the limit
# allowed by the server. You can avoid this error by disabling the
# request size limit by adding the line LimitXMLRequestBody 0
# between the <Location...> and </Location> lines. 
LimitXMLRequestBody 0
# Only check Authentication for root path, nor again for recursive
# folder.
# Redmine core does only permit access on repository level, so this
# doesn't hurt security. On the other hand it does boost performance
# a lot!
SVNPathAuthz off
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "Redmine SVN Repository"
AuthUserFile /dev/null
#read-only access    
<Limit GET PROPFIND OPTIONS REPORT>
    Require valid-user
    Satisfy any
</Limit>
# write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
</LimitExcept>
## for mysql
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser 'user'
RedmineDbPass 'password'

Sebastian Sulger
  • 91
  • 6
  • A look at the configuration would help. – Jenny D May 09 '17 at 13:54
  • What parts of the configuration would you need to be able to help? – Sebastian Sulger May 16 '17 at 09:42
  • You should seriously consider upgrading your SVN server. SVN 1.6.x is very outdated and no longer supported for more than four years. I guess that your Apache is very outdated, too. You are missing a lot of improvements that were introduced in SVN 1.7, 1.8 and 1.9. – bahrep Jul 12 '17 at 13:11

2 Answers2

2

This is now working. It turns out that the Apache config had been changed to include the line DAV Off inside the <Location "/svn"> directive. This should really be DAV svn (see http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl). After this change, checking out the repository worked again (after accepting the server certificate). Browsing the repository from within Redmine still didn't work, since the Redmine installation still pointed at the old (http) repository address. This was a matter of issuing a MySQL command as seen here: http://www.redmine.org/boards/1/topics/14577 (in my case, I was able to use phpMyAdmin for this).

Sebastian Sulger
  • 91
  • 6
0

It looks like you are trying to access your subversion repository with the user id 'admin'. This is probably due ti the fact that you do not provide an explicit user id, thus the user id which issues the svn command will be taken. In your above example, this seems to be 'admin'.

Next, judging from the log entries, the server asks for authentication of user 'admin', but this user cannot be found neither by checkpw nor in a htaccess file.

You must either add admin to the htaccess file, or, more likely, in your svn command you must provide a user id that exists on your OS X server or in the htaccess file. For example:

svn co https://validuser@my.domain/svn/repos .
not2savvy
  • 177
  • 8
  • I don't think that's the issue here. 'admin' is in fact a valid user that's inside the Redmine user database. I think the issue is that SVN doesn't know about the SSL certificate yet, and I need to supply that information somewhere, but I'm not sure where. – Sebastian Sulger May 16 '17 at 09:48
  • I may be wrong, but if I look at the error messages, it seems to me that it is not (yet) the Redmine user that is asked for authentication. It looks like an http(s) authentication. What is set for "Who can Access" in the websites configuration of the Server app for this domain? The SSL certificate should not be the problem, if you have accepted it as displayed in your question. – not2savvy May 16 '17 at 09:57
  • Another idea: Have you verified that Apache can read from your SVN repo? Is there a httpd-svn.conf that you could show us? – not2savvy May 16 '17 at 10:08
  • I have added a relevant excerpt from the Apache config file above. I think you're right in that the problem is with Apache not being able to read from the repo. No idea how to fix this though. – Sebastian Sulger May 16 '17 at 11:12
  • Not sure how this is done for apache. I've setup svn with ssh, and this required to make the repository group readable for wheel, while it is owned by _svn, as so: `drwxr-xr-x 11 _svn wheel 374 Mar 24 15:41 repositories` - what does `ls -l`give for your repository? – not2savvy May 16 '17 at 12:32
  • `ls -l` on my repos shows that it's owned by `_www:_www` (the apache user). – Sebastian Sulger May 16 '17 at 12:36
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/58836/discussion-between-not2savvy-and-sebastian-sulger). – not2savvy May 16 '17 at 12:48