Getting CruiseControl.NET working with SVN over HTTPS

February 10th, 2009

This should be obvious to anybody familiar with SVN, which is maybe why there isn’t much info out there about it.  Anyway, it took me way too long to get working, so here are the details for the next time I have to do this…

The Scenario: We’re using VisualSVN to host some repositories over HTTPS with a self-signed certificate.  There’s another server (lets call it “failboat”) running CruiseControl.NET, and I want that server to grab the latest goods out of svn and do building-things on it. 

The ccnet configuration is straightforward:

image

The problem: the certificate is a fake, and CCNet is going to run in non-interactive mode so the fake certificate is automatically rejected…which if you check the ccnet log:

“Server certificate verification failed: issuer is not trusted “

So we need a way to tell the svn client that this certificate is OK.   On the CCNet server, in a directory something like “C:\Documents and Settings\All Users\Application Data” (YMMV), create a directory called “Subversion”.  And in that directory create a text file called “servers” (I’m not sure, but I’m guessing case sensitivity is important here).

Next, you need to copy only the public part of the certificate from your VisualSVN server over to your CCNet server.  VERY IMPORTANT: on the server, the certificate file contains both the public and private parts of the key.  If someone evil gets the private part of the key, “bad things” can happen.

The certificate is in your VisualSVN server’s “VisualSVN\Conf” directory, named “server.pem”.   Make a local copy of this file, and then edit that local copy in your favorite, line-ending-sensitive, editor like gVim or NotePad++ (NOT notepad!).  Remove all the stuff from “—–BEGIN RSA PRIVATE KEY—–” through the end of the key.

Now that you have a certificate-only file, copy this file over to your ccnet server and put it in the Subversion directory.

Finally, add this text to your “servers” file:  (note that there should be no line breaks in case the style messes this up)

[global]
ssl-authority-files = C:\Documents and Settings\All Users\Application Data\Subversion\cert.pem

Now the local SVN client will validate against the local certificate and unattended mode will work.

Tony Rasa

  • http://www.viewtier.com Slava Imeshev

    There is a simpler way – check this Parabuild FAQ

  • http://elegantcode.com Tony Rasa

    Nice! That automates the process that I had to do by hand. Note that you’d have to change the user that the ccnet service runs under to something you could log in as, and in our case that wasn’t an option – but if you can do that, you can save some work.

  • http://blog.threenine.co.uk Gary Woodfine

    Hi,
    I wrote a little C# app that automates that little task too, to accept the ssl cert in LSA. Thought you might be intrested in it for the next time you have to do this. Just been surfing the web for any more info so I can enhance the application
    Regards,
    Gary

  • http://elegantcode.com Tony Rasa

    @Gary sounds good – feel free to post a link if you want :) i’m sure that would be more useful than trying to do this all by hand (and hoping you don’t screw something up)

  • http://blog.threenine.co.uk Gary Woodfine
blog comments powered by Disqus