Subject: SSL connection to svn failing after migration
When trying to run svn up I get the following error:
$ svn up svn: OPTIONS of 'https://gladhandle.svn.beanstalkapp.com/gladhandle/trunk':
SSL negotiation failed: Secure connection truncated (https://gladhandle.svn.beanstalkapp.com)
Showing the most recent page of comments. View the first page
Comments are currently closed for this discussion. You can start a new one.
Support Staff 32 Posted by Chris Nagele on 01 Sep, 2009 02:35 PM
This issue is really baffling. Rackspace has reproduced the issue on Fedora 11 and is running some tests.
33 Posted by darren on 01 Sep, 2009 02:46 PM
Same issue on all my repos. The problem only occurs on updates from my dev machine running ubuntu. I have not seen it on updates performed on the production server running centos.
I have not tried it on a fresh checkout using ssl.
Running svn switch --relocate and removing the ssl connection is a workaround for me anyway.
34 Posted by doug on 01 Sep, 2009 02:47 PM
I am having the same problem, but I am not a ubuntu tech, so this is as much info as I can provide :)
Linux ubuntu 2.6.27-11-server
svn, version 1.5.1 (r32289)
Also, I can provide rackspace with SSH access to my ubuntu dev server so they can see the problem first hand if that helps.
my account url prefix is pixelgraphics, but it wouldn't keep me logged into support, so I set up this separate account.
35 Posted by ryan on 01 Sep, 2009 04:16 PM
For those who are stuck waiting for this fix, I can verify that building svn with serf (and not neon) on Fedora 11 is a valid workaround and allows use of https.
36 Posted by john on 01 Sep, 2009 04:21 PM
It works with SVN 1.4.6 too:
svn, version 1.4.6 (r28521)
compiled Aug 7 2009, 01:03:22
Copyright (C) 2000-2007 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).
The following repository access (RA) modules are available:
* ra_dav : Module for accessing a repository via WebDAV (DeltaV) protocol.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
Again no neon.
37 Posted by ryan on 01 Sep, 2009 04:41 PM
Has anyone figured out how to get git-svn working with the workaround? When I try to run git svn rebase I'm getting:
Malformed network data: XML parsing failed: (400 Bad Request) at /usr/libexec/git-core/git-svn line 4297
I've exported LD_LIBRARY_PATH to use /usr/local/lib (where the libraries for the compiled svn with serf live) before /usr/lib64.
Support Staff 38 Posted by Chris Nagele on 01 Sep, 2009 05:49 PM
I finally have some answers:
I don't think this is a permanent fix though. We're going to move SSL from the LB to each apache instance instead, since the problem will not happen there. This will require some downtime, so we have to plan it for late tonight.
Thanks for hanging in there while we figured this out. It was a tough one.
Chris
39 Posted by jessestay on 01 Sep, 2009 05:51 PM
Chris, how long before you're able to do the fix? Downgrading just isn't a solution for me (unless you have instructions on how to do it on Fedora).
Jesse
Support Staff 40 Posted by Chris Nagele on 01 Sep, 2009 05:55 PM
Jesse,
We will have to do it tonight. For now there is a solution. It is not ideal, but will get you working again. You can relocate your repo to use http instead of https. To do that, run this command in the root of the repo:
svn switch --relocate https://accountname.svn.beanstalkapp.com http://accountname.svn.beanstalkapp.com .The dot at the end is there on purpose.
Chris
41 Posted by ryan on 01 Sep, 2009 05:58 PM
Thanks for working hard to figure this out.
42 Posted by nick on 01 Sep, 2009 09:34 PM
Thanks for working so hard on this guys and keeping us up-to-date.
Support Staff 43 Posted by Chris Nagele on 01 Sep, 2009 10:08 PM
Of course! I feel awful that it is taking so long. We're going to schedule some downtime tonight to fix it.
Chris
44 Posted by andy on 02 Sep, 2009 12:17 PM
Any news? I'm still getting the same error.
Support Staff 45 Posted by Chris Nagele on 02 Sep, 2009 12:23 PM
Hey everyone. We needed help from Rackspace to change the load balancer, but they delayed on the ticket. This fix requires an entire environment outage along with precise timing for us and Rackspace, which did not work out last night.
We're going to make an urgent update during the day today since this is taking way too long. I'm very sorry for the problems. We'll reach out to each of you and provide a refund for this month if you are on a paid plan.
Chris
46 Posted by ryan on 02 Sep, 2009 12:47 PM
We're trying to deploy some code today and I've got changes stuck in git that I need to merge before we can do that. Do you have an ETA for today?
Support Staff 47 Posted by Chris Nagele on 02 Sep, 2009 12:50 PM
We're coordinating that now. I will let you know.
Support Staff 48 Posted by Chris Nagele on 02 Sep, 2009 01:17 PM
I posted this issue to the Subversion list and received a response. The problem is still the same, but he offered a solution for the client as well.
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&d...
49 Posted by john on 02 Sep, 2009 01:33 PM
I have tried that and can confirm it worked on Ubuntu 9.04.
$ apt-get install libneon27
$ LD_PRELOAD=/usr/lib/libneon.so.27 svn co https://...
Support Staff 50 Posted by Chris Nagele on 02 Sep, 2009 01:35 PM
Thanks John. I realize this is not a permanent fix, but it should help until we make the changes. Ryan, can you give it a try?
Chris
51 Posted by ryan on 02 Sep, 2009 01:38 PM
Unfortunately, it looks like yum on fedora doesn't have an earlier version of neon available. I'm running neon 0.28.6. If I had additional time today, I could build neon by hand but at this point I'm hoping your fix will coincide with the completion of my local testing.
52 Posted by alexis on 02 Sep, 2009 02:31 PM
Nice John, it worked for me.
2009/9/2 ryan <no-reply@tenderapp.com>
Support Staff 53 Posted by Chris Nagele on 02 Sep, 2009 03:50 PM
We just moved SSL back to Apache instances. Anyone willing to test it?
Nothing like a mid-day environment updates...
Chris
54 Posted by john on 02 Sep, 2009 03:57 PM
Works fine for me now. Thanks everyone for helping to track this one down.
55 Posted by ryan on 02 Sep, 2009 03:58 PM
Both svn and git are happy now from stock packages on Fedora 11! Thanks!!