March 09, 2006

Subversion error - certificate verification failed - with CruiseControl.NET

A few weeks ago I went through the exercise of downloading and setting up cruise control on my dev machine along with NAnt and some other tools (more on this later).  The night before last I spent about 3-4 hours optimizing by build scripts to make them more portable and fine tuned a few things.  Yesterday I began applying everything that I learned to a fresh install of Window Server 2003 on our new (used previously as some sort of linux dev box - nobody knows anything about it, it just was there one day) build machine. 

I ran into a couple of issues but the most perplexing was one that I struggled with for several hours last night and a couple of hours this morning.  It was a problem with doing a subversion update in my Cruise Control .NET script and the error message looked something like:
PROPFIND request failed on '/Projectname'
svn: PROPFIND of '/Projectname': Server certificate verification > failed: issuer is not trusted

I looked up the error via Google and found several good solutions, but none of them that worked for me - my CC.NET script kept throwing the same error no matter what I did.  I went to the svn site in a browswer and accepted the certificate, I accessed the repository via svn command line and permanently accepted the certificate, I deleted the repository and created a new checkout with TortoiseSVN (which didn't even ask me to accept the certificate since I had done so before) and many, many more.  By all clues it looked like it should have been working fine.  If I ran the same command line statements manually that CC.NET was running then it worked well - no error - no issue.  But it just wouldn't work when the CC.NET windows service ran the script.

I took a break and thought about it for a minute - everything worked fine for me - I was logged in as "dhounshell".  However the CruiseControl.NET service was running under the local service account. That must be it - "dhounshell" had accepted those certificates as valid, but the account running the CC.NET server had not.   I changed the service to run under my account and everything worked fine and I got a successful build ! Actually I didn't get a successful build just yet - fixing this error let me get further into the process, which eventually threw another error.  Fixing that one let me get further into the process, which then threw another error. Rinse and repeat.  Eventually I did get a succesful build on the new build server, though.  And all is well with the world.

Comments,

  • Trackbacks,
  • and Pingbacks
  1.  avatar Nathan Dutzmann says:

    Thank you!  This saved me hours of bashing my head against the wall.

  2.  avatar Brant LeClercq says:

    It's much safer to create an account on the local machine specifically for the CruiseControl.NET Server service. Similarly, just logon with that service account and accept the cert permanently.

    I just hope this doesn't become an annual event with the renewal of ssl certs.

  3.  avatar Sasank says:

    Thanks a loooooooooooooooooootttttttt.....

    Finally solved the problem by changing the CC.NET account.

    :-)

  4.  avatar says:

    Nathan and Sasank, glad it helped.

    Brant, of course you are right - creating an account specifically for the CC.NET service is much safer. That is what I implemented as well and that is what I recommend, too.

  5.  avatar Abdul says:

    Thank you so much.  I was exhausted trying all different options to fix this issue when I found your blog.  It helped and i could fix the problem on my build server.

  6.  avatar Stewart says:

    If you make your site work in firefox i will give you a better solution.

  7.  avatar Tom says:

    Also, I found that you need to run an SVN command from the command line to manually accept the certificate.  Open a command prompt in the root level and execute a "svn up"...it will ask you to accept the cert.

  8.  avatar Ben says:

    Hello, thanks for the article, it was a great starting point.

    However, I don't have the option of creating a local user account, as I'm not allowed to do that on the server it is residing on.

    I found that creating a simple Windows service using .NET with the following code was able to let me accept the certificate permanantly as the Local System account, so I could then run the CC.NET service, with this account, with the certificate accepted:

    1. Create a .NET *CONSOLE* application as follows, replace obvious bits where appropriate:

    Sub Main()

           Dim p2 As New ProcessStartInfo

           p2.WorkingDirectory = "c:\"

           p2.FileName = "E:\Subversion\bin\svn.exe"

           p2.Arguments = String.Format("log servername/.../repo --username bob --password pass1")

           p2.CreateNoWindow = True

           p2.UseShellExecute = False

           p2.RedirectStandardInput = True

           p2.RedirectStandardOutput = True

           p2.RedirectStandardError = True

           Dim p2run As New Process

           p2run.StartInfo = p2

           p2run.Start()

           ' Mimic a wait whilst we wait for the certificate accept prompt:

           System.Threading.Thread.Sleep(5000)

           ' Imitating pressing 'p' then enter:

           p2run.StandardInput.AutoFlush = True

           p2run.StandardInput.WriteLine("p")

           p2run.StandardInput.Flush()

           ' Catch the output/errors in case this doesnt work for you - send yourself an email with these strings in them for debugging

           Dim output As String = p2run.StandardOutput.ReadToEnd()

           Dim errors As String = p2run.StandardError.ReadToEnd()

           p2run.WaitForExit()

           p2 = Nothing

       End Sub

    2. Compile this so that you get a .EXE that you can run.

    3. To run this as the local system account, create a service which executes this application. Services by default run as LSA. Enter the following commands:

    C:\temp>sc create testsvc binpath= "c:\temp\AcceptSvnCertificate.exe" type= own

    type= interact

    [SC] CreateService SUCCESS

    C:\temp>sc start testsvc

    [SC] StartService FAILED 1053:

    The service did not respond to the start or control request in a timely fashion.

    (Note- this message is NORMAL- the code in your application WILL run!!)

    C:\temp>sc delete testsvc

    [SC] DeleteService SUCCESS

    Now, your local system account has accepted the certificate, so you can use the CruiseControl.net service as normal, running under local system account.

    Bonzer!

    Thanks to this article as a starting point, and many hours of Google searching to arrive at me writing this code to solve my problem. I hope my 3 or 4 days effort helps someone else!

    Happy coding,

  9. Wow, thanks Ben!

  10. Thanks Dan for providing a pointer to the solution, but more thanks to Ben for providing the solution. Tried your suggestion and it worked a charm.

    Keep up the good work1

  11.  avatar Matt Roberts says:

    Awesome - you saved my day :)

  12.  avatar Miral Popat says:

    thanks, it worked perfectly

    I created a new local user ccnet and logged in with that user and accepted the certificate

  13.  avatar tiax says:

    wow ben you really saved my night! after failing for long long hours i finally fixed it thanks to your code , at 5am :)

  14.  avatar Vitaly says:

    Dan Hounshell, thank you very much!

    You saved my time!

Comments are closed.

 

Trackbacks and Pingbacks


  1. Pingback from  Randquist Rants  » Blog Archive   » svn, commit hooks, and windows server 2003

  2. Pingback from  CruiseControl / SVNBootstrapper: Server certificate verification failed: issuer not trusted « BibaBlog

Shortcuts

Where is Dan?


My Blog
My Blog
Twitter
Twitter
Facebook
Facebook
LinkedIn
LinkedIn
Flickr
Flickr
YouTube
YouTube
Delicious
Delicious
Foursquare
Foursquare
Pinterest
Pinterest
GetGlue
GetGlue
Pintley
Pintley
XBOX Live
XBOX Live
Last.fm
Last.fm
Windows Live
Windows Live
Telligent.com
Telligent
Graffiti CMS on CodePlex
Graffiti CMS
Popular

Recent Posts