SVN and WebSVN over SSL with self-signed certificates
The quest for today’s holy grail is to setup a subversion repository that can be accessed through Apache with DAV and SSL and setting up WebSVN, both using self-signed certificates. These steps apply to Fedora 7 (F7) and should probably also work for CentOS and RHEL.
Assumptions:
a) public svn repos are available through https://FQDN/svn
Don’t use anything other than the Fully Qualified Domain Name (FQDN) or this setup will not work.
b) The source for the public svn repos can basically be anything. I took /var/www/svnrepos. Make sure the directory you choose exists.
$ sudo mkdir -p /var/www/svnrepos
1) Install prerequisite packages
If you want to be able to use Apache with SVN then you need to install mod_dav_svn:
$ sudo yum install mod_dav_svn
2) Create the self-signed SSL certificates
Generate your own Certificate Authority (CA).
$ cd
$ openssl genrsa -des3 -out ca.key 1024
Here is what the output should look like:
[patrick@test ~]$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
………………………………….++++++
e is 65537 (0×10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
With this next command when asked for the “Common Name” (CN) use something like “FQDN CA”. Whatever you put here, do *not* use this same CN with the server certificate that you are going to create below.
$ openssl req -new -x509 -days 365 -key ca.key \
-out ca.crt
Here is what the output should look like:
[patrick@test ~]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme CA
Organizational Unit Name (eg, section) []:Acme CA Security
Common Name (eg, your name or your server’s hostname) []:Acme CA
Email Address []:root@example.org
Generate a server key and request for signing (csr). This step creates an unsigned server key, and a request that you want it signed (the .csr file) by the CA that you just created.
Create the unsigned server key:
$ openssl genrsa -des3 -out server.key 4096
Here is what the ouput should look like:
[patrick@test ~]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
……………………………………………………………………………………………………..++
……………………………………………………………………………++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Next create the Certificate Signing Request. For the CN do not use the same as you used for the CA. Instead use for example the FQDN of your webserver. Leave the challenge password and optional company name empty (just press enter).
$ openssl req -new -key server.key -out server.csr
Here is what the output should look like:
[patrick@test ~]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme Server Corp.
Organizational Unit Name (eg, section) []:Acme Server Certificates
Common Name (eg, your name or your server’s hostname) []:www.example.org
Email Address []:root@example.orgPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier.
$ openssl x509 -req -days 365 -in server.csr \
-CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Here is what the output should look like:
[patrick@test ~]$ openssl x509 -req -days 365 -in server.csr \
> -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=NL/L=The Hague/O=Acme Server Corp./OU=Acme Server Certificates/CN=www.example.org/emailAddress=root@example.org
Getting CA Private Key
Enter pass phrase for ca.key:
Make a server.key which doesn’t cause apache to prompt for a password. Guard it for permissions VERY carefully!
$ openssl rsa -in server.key -out server.key.insecure
$ mv server.key server.key.secure
$ mv server.key.insecure server.key
If you want to have a look what’s in all the resulting files use these commands:
$ openssl rsa -noout -text -in server.key
$ openssl req -noout -text -in server.csr
$ openssl rsa -noout -text -in ca.key
$ openssl x509 -noout -text -in ca.crt
3) Copy the certificates where Apache can find them
$ sudo mkdir /etc/httpd/ssl
$ sudo cp server.key /etc/httpd/ssl/
$ sudo cp server.crt /etc/httpd/ssl/
$ sudo cp ca.crt /etc/httpd/ssl/
4) Change the default certificates in ssl.conf
Change the SSLCertificateFile, SSLCertificateKeyFile and the SSLCACertificateFile as follows:
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
5) Create and edit /etc/subversion/servers
Add the following lines to /etc/subversion servers
[globals]
ssl-trust-default-ca = true[groups]
some_name = FQDN[some_name]
ssl-authority-files = /etc/httpd/ssl/ca.crt
6) Add the CA certificate to the ca-bundle.crt file
$ cd
$ echo '' > ca.tmp
$ openssl x509 -noout -text -in ca.crt >> ca.tmp
$ cat ca.crt >> ca.tmp
$ echo '' >> ca.tmp
$ sudo cp /etc/pki/tls/certs/ca-bundle.crt \
/etc/pki/tls/certs/ca-bundle.crt.org
$ sudo cat ca.tmp >> /etc/pki/tls/certs/ca-bundle.crt
7) Edit /etc/httpd/httpd.conf
Here I use a NameVirtualHost setup. If you need a different setup please check the Apache documentation. Put the following lines in /etc/httpd/httpd.conf. Make sure that the FQDN you use for ServerName is the same that you used when you created the self-signed SSL certificates!
Replace FQDN with the name of your webserver
Replace 10.1.2.3 with the IP address of your webserver
ServerName FQDN
NameVirtualHost 10.1.2.3:80
NameVirtualHost 10.1.2.3:443<VirtualHost 10.1.2.3:80>
ServerAdmin you@FQDN
DocumentRoot /var/www/html
DirectoryIndex index.php index.html index.htm index.shtml
ServerName FQDN
ErrorLog logs/error_log
CustomLog logs/access_log combined
ServerSignature email
LogLevel warn
HostNameLookups off
</VirtualHost><virtualhost 10.1.2.3:443>
ServerAdmin you@FQDN
ServerName FQDN
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLOptions
</virtualhost>SVNAutoVersioning On
<Location /svn>
DAV svn
SVNPath /var/www/svnrepos
SVNListParentPath on
SSLRequireSSL
# allow read access to the repos but authenticate a user
# if they want to write etc.
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /var/www/svnrepos/svnuserpass
# For other operations require an authenticated user.
<Limitexcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</limitexcept>
</Location>
If you want to force a redirect to https if the websvn page is browsed through http than also add the following lines:
<Location /websvn>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</Location>
8) Create the password file for users that need write access to the repos
$ sudo htpasswd -c /var/www/svnrepos/svnuserpass \
some_user
9) Restart Apache
$ sudo /sbin/service httpd restart
Check /var/log/httpd/error_log for any errors!
10) Create the svn repo structure
$ sudo svnadmin create /var/www/svnrepos/
11) Create svnusers group and add user apache to it
In order to give the apache user access to the svn repo we need to create the svnusers group (or whatever you want to call it) and add the apache user to this group.
$ sudo groupadd svnusers
$ sudo usermod -G svnusers -a apache
12) Change the group of the svn repo
$ sudo chgrp -R svnusers /var/www/svnrepos/
13) Give write access to the svnusers group
$ sudo chmod -R g+w /var/www/svnrepos/
14) Prepare to import some data into the svn repo
I will be using my setup with Asterisk so I setup my svn repo with:
$ mkdir ~/svn_temp
$ cd ~/svn_temp
$ mkdir -p Asterisk12/zaptel/{trunk,branches,tags}
$ mkdir -p Asterisk14/zaptel/{trunk,branches,tags}
Import the data into the svn repo:
$ svn import ~/svn_temp/Asterisk12 \
https://FQDN/svn/Asterisk/Asterisk12 -m "Initial import"
$ svn import ~/svn_temp/Asterisk14 \
https://FQDN/svn/Asterisk/Asterisk14 -m "Initial import"
When you are done then you can remove the ~/svn_temp directory
$ rm -rf ~/svn_temp
15) Get and install the latest WebSVN
Download the latest WebSVN
Install it for example in /var/www/html/websvn and create the config file
$ sudo tar -xvzf websvn-2.0.tar.gz /var/www/html/
sudo mv /var/www/html/websvn-2.0 /var/www/html/websvn
Edit /var/www/html/websvn/include/config.php:
$config->addRepository(’Asterisk’, ‘https://FQDN/svn/Asterisk’, NULL, ”, ”);
$config->allowDownload();
$config->setMinDownloadLevel(2);
$config->setMinDownloadLevel(3, ‘Asterisk’);
$config->useEnscript();
16) Test
$ svn list https://FQDN/svn/Asterisk
Point Firefox at https://FQDN/websvn or https://FQDN/svn