Apache2, Subversion, and SSL

So I am a big SVN fan, and I’m also a big fan of reasonably secure network traffic, so I prefer to use SVN over an SSL connection. The webserver I’m using is Apache2. The purpose of this post is to remind myself about the steps required to get SVN working via SSL only, as right now I have to diligently remember to use https:// instead of http:// when I do an SVN checkout.

The first step was to create a self-signed certificate for use with SSL. I could have paid some entity like VeriSign to give me a signed certificate, but VeriSign doesn’t really add much security. This page told me how to create the cert, the relevant commands from which I show here. I ran these commands with the working directory /etc/apache2/ssl.

Create the RSA keypair:

openssl genrsa 1024 > host.key
chmod 400 host.key

Create the self-signed certificate using that key (note that a certificate of this nature is just a certificate-signing-request that is signed; that used to confuse me):

openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

It is also necessary to modify your apache configuration to use SSL.
Apache needs to have the ssl, dav_svn, and auth_digest modules to
work correctly with SVN over SSL. Under Debian, at least, there exist
packages for all of these so installation is trivial.

Edit /etc/apache2/ports.conf and add port 443, which is the default for SSL.

Now, it is necessary to make the SVN config entries for Apache2. My goal is for SVN to work via SSL only, so, e.g., svn checkout http://host.com/svn/REPOS will FAIL, but svn checkout https://host.com/svn/REPOS will succeed.

To achieve this, I created a new virtual host for Apache2. I.e., I created a new config file /etc/apache2/sites-available/010-ssl. I picked 010 because duplicating 000 seemed bad. I have no other explanation. I then symlinked that file to ../sites-enabled/. The contents of the file are the following:


NameVirtualHost *:443
<VirtualHost *:443>
ServerName mccune.ece.cmu.edu
SSLEngine on
DocumentRoot /var/www/
SSLCertificateFile /etc/apache2/ssl/host.cert
SSLCertificateKeyFile /etc/apache2/ssl/host.key

# Subversion
<Location /svn>
DAV svn
SVNParentPath /var/lib/svn
# our access control policy
AuthzSVNAccessFile /var/lib/svn/access

# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user

# how to authenticate a user
AuthType Digest
AuthName "Subversion"
AuthDigestFile /var/lib/svn/users
AuthDigestDomain http://mccune.ece.cmu.edu/
</Location>

# websvn
<Location /wsvn/>
SVNParentPath /var/lib/svn
# our access control policy
AuthzSVNAccessFile /var/lib/svn/access

# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user

# how to authenticate a user
AuthType Digest
AuthName "Subversion"
AuthDigestFile /var/lib/svn/users
AuthDigestDomain /
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On # IE digest workaround
</Location>

</VirtualHost>

I also like the WebSVN interface, the configuration entries for which are also included. Be sure to restart apache, `/etc/init.d/apache2 restart`. You should be good to go.

Life is not always so simple, and I received the following error when trying to do an SVN checkout using https://


jmmccune@mccune(/tmp)% svn checkout https://mccune.ece.cmu.edu/svn/REPOS
Authentication realm: Subversion
Password for 'jmmccune':
svn: PROPFIND request failed on '/svn/REPOS'
svn: PROPFIND of '/svn/REPOS': 500 Internal Server Error (https://mccune.ece.cmu.edu)

A look in /var/log/apache2/error.log showed me the following:


[Fri Jan 20 15:24:01 2006] [error] [client 127.0.0.1] (20014)Error string not specified yet: Berkeley DB error for filesystem /var/lib/svn/REPOS/db while opening environment:\nDB_VERSION_MISMATCH: Database environment version mismatch
[Fri Jan 20 15:24:01 2006] [error] [client 127.0.0.1] Could not fetch resource information. [500, #0]
[Fri Jan 20 15:24:01 2006] [error] [client 127.0.0.1] Could not open the requested SVN filesystem [500, #160029]
[Fri Jan 20 15:24:01 2006] [error] [client 127.0.0.1] Could not open the requested SVN filesystem [500, #160029]

There was some kind of version mismatch, for which Google didn’t really offer any helpful solutions. I ended up doing an `aptitude update; aptitude upgrade` on my Debian system, which I’d been meaning to do anyways. After that the error persisted, but I blew away the repository and created a new one, and I had no further problems. I realize this is an undesirable solution if the repository is already up and running, but I did all this config on a non-critical machine first to see how it might impact a critical machine.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s