Friday, June 06, 2008

SSL Certificate Renewal for Project Hosting on Google Code



If you have open source projects hosted on Google Code, you may have noticed that the SSL certificate changed for the googlecode.com domain. (The old certificate expired, and a new one was generated.) In particular, your Subversion client may have yelled about the certificate not being recognized:
Error validating server certificate for
'https://projectname.googlecode.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: googlecode.com
- Valid: from Wed, 28 May 2008 16:48:13 GMT until Mon, 21 Jun 2010 14:09:43 GMT
- Issuer: Certification Services Division, Thawte Consulting cc, Cape
Town, Western Cape, ZA
- Fingerprint: b1:3a:d5:38:56:27:52:9f:ba:6c:70:1e:a9:ab:4a:1a:8b:da:ff:ec
(R)eject, accept (t)emporarily or accept (p)ermanently?
Just like a web browser, your Subversion client needs to know whether or not you trust particular SSL certificates coming from servers. You can verify the certificate using the fingerprint above, or you can choose to permanently accept the certificate, whichever makes you feel most comfortable. To permanently accept the certificate, you can simply choose the (p)ermanent option, and Subversion will trust it forever.

Thawte is a large certifying authority, and it's very likely that the OpenSSL libraries on your computer automatically trust any certificate signed by Thawte. However, if you want your Subversion client to inherit that same level of automatic trust, you'll need to set an option in your ~/.subversion/servers file:
[global]
ssl-trust-default-ca = true
If you set this option, then your client will never bug you again about any certificate signed by the "big" authorities.

Happy hacking!

2 comments:

  1. On OSX, the [global] ssl-trust-default-ca = true option has no effect, because the openssl installation has no default trusted root certs; they're all stashed away in the Keychain app. The expedient thing to do is simply to check the fingerprint and accept the cert.

    ReplyDelete
  2. I from experience have always just bought a new SSL certificate as opposed to renewing them, as this seems to bring about less conflicts (and a more familiar process to me). I've installed my latest new SSL certs from SSL247.com, although this is an interesting bit of code for Subversion.

    ReplyDelete