all posts

Subversion error - certificate verification failed - with CruiseControl.NET

Published to Blog on 9 Mar 2006
A few weeks ago I went through the exercise of downloading and setting up cruise control on my dev machine along with NAnt and some other tools (more on this later).  The night before last I spent about 3-4 hours optimizing by build scripts to make them more portable and fine tuned a few things.  Yesterday I began applying everything that I learned to a fresh install of Window Server 2003 on our new (used previously as some sort of linux dev box - nobody knows anything about it, it just was there one day) build machine. 

I ran into a couple of issues but the most perplexing was one that I struggled with for several hours last night and a couple of hours this morning.  It was a problem with doing a subversion update in my Cruise Control .NET script and the error message looked something like:
PROPFIND request failed on '/Projectname'
svn: PROPFIND of '/Projectname': Server certificate verification > failed: issuer is not trusted

I looked up the error via Google and found several good solutions, but none of them that worked for me - my CC.NET script kept throwing the same error no matter what I did.  I went to the svn site in a browswer and accepted the certificate, I accessed the repository via svn command line and permanently accepted the certificate, I deleted the repository and created a new checkout with TortoiseSVN (which didn't even ask me to accept the certificate since I had done so before) and many, many more.  By all clues it looked like it should have been working fine.  If I ran the same command line statements manually that CC.NET was running then it worked well - no error - no issue.  But it just wouldn't work when the CC.NET windows service ran the script.

I took a break and thought about it for a minute - everything worked fine for me - I was logged in as "dhounshell".  However the CruiseControl.NET service was running under the local service account. That must be it - "dhounshell" had accepted those certificates as valid, but the account running the CC.NET server had not.   I changed the service to run under my account and everything worked fine and I got a successful build ! Actually I didn't get a successful build just yet - fixing this error let me get further into the process, which eventually threw another error.  Fixing that one let me get further into the process, which then threw another error. Rinse and repeat.  Eventually I did get a succesful build on the new build server, though.  And all is well with the world.

Dan Hounshell
Web geek, nerd, amateur maker. Likes: apis, node, mobile, motorcycles, watches, food, Nashville, Savannah, Cincinnati and family. Dislikes: mean people
Dan Hounshell on Twitter


  • On 17 Oct 2006 Nathan Dutzmann said:

    Thank you!  This saved me hours of bashing my head against the wall.

  • On 27 Nov 2006 Brant LeClercq said:

    It's much safer to create an account on the local machine specifically for the CruiseControl.NET Server service. Similarly, just logon with that service account and accept the cert permanently.

    I just hope this doesn't become an annual event with the renewal of ssl certs.

  • On 28 Dec 2006 Sasank said:

    Thanks a loooooooooooooooooootttttttt.....

    Finally solved the problem by changing the CC.NET account.

    :-)

  • On 29 Dec 2006 Anonymous said:

    Nathan and Sasank, glad it helped.

    Brant, of course you are right - creating an account specifically for the CC.NET service is much safer. That is what I implemented as well and that is what I recommend, too.

  • On 23 Mar 2008 Abdul said:

    Thank you so much.  I was exhausted trying all different options to fix this issue when I found your blog.  It helped and i could fix the problem on my build server.

  • On 26 Mar 2008 Stewart said:

    If you make your site work in firefox i will give you a better solution.

  • On 30 Jul 2008 Tom said:

    Also, I found that you need to run an SVN command from the command line to manually accept the certificate.  Open a command prompt in the root level and execute a "svn up"...it will ask you to accept the cert.

  • On 8 Oct 2008 Ben said:

    Hello, thanks for the article, it was a great starting point.

    However, I don't have the option of creating a local user account, as I'm not allowed to do that on the server it is residing on.

    I found that creating a simple Windows service using .NET with the following code was able to let me accept the certificate permanantly as the Local System account, so I could then run the CC.NET service, with this account, with the certificate accepted:

    1. Create a .NET *CONSOLE* application as follows, replace obvious bits where appropriate:

    Sub Main()

           Dim p2 As New ProcessStartInfo

           p2.WorkingDirectory = "c:\"

           p2.FileName = "E:\Subversion\bin\svn.exe"

           p2.Arguments = String.Format("log servername/.../repo --username bob --password pass1")

           p2.CreateNoWindow = True

           p2.UseShellExecute = False

           p2.RedirectStandardInput = True

           p2.RedirectStandardOutput = True

           p2.RedirectStandardError = True

           Dim p2run As New Process

           p2run.StartInfo = p2

           p2run.Start()

           ' Mimic a wait whilst we wait for the certificate accept prompt:

           System.Threading.Thread.Sleep(5000)

           ' Imitating pressing 'p' then enter:

           p2run.StandardInput.AutoFlush = True

           p2run.StandardInput.WriteLine("p")

           p2run.StandardInput.Flush()

           ' Catch the output/errors in case this doesnt work for you - send yourself an email with these strings in them for debugging

           Dim output As String = p2run.StandardOutput.ReadToEnd()

           Dim errors As String = p2run.StandardError.ReadToEnd()

           p2run.WaitForExit()

           p2 = Nothing

       End Sub

    2. Compile this so that you get a .EXE that you can run.

    3. To run this as the local system account, create a service which executes this application. Services by default run as LSA. Enter the following commands:

    C:\temp>sc create testsvc binpath= "c:\temp\AcceptSvnCertificate.exe" type= own

    type= interact

    [SC] CreateService SUCCESS

    C:\temp>sc start testsvc

    [SC] StartService FAILED 1053:

    The service did not respond to the start or control request in a timely fashion.

    (Note- this message is NORMAL- the code in your application WILL run!!)

    C:\temp>sc delete testsvc

    [SC] DeleteService SUCCESS

    Now, your local system account has accepted the certificate, so you can use the CruiseControl.net service as normal, running under local system account.

    Bonzer!

    Thanks to this article as a starting point, and many hours of Google searching to arrive at me writing this code to solve my problem. I hope my 3 or 4 days effort helps someone else!

    Happy coding,

  • On 2 Nov 2008 Randquist Rants » Blog Archive » svn, commit hooks, and windows server 2003 said:

    Pingback from  Randquist Rants  » Blog Archive   » svn, commit hooks, and windows server 2003

  • On 4 Nov 2008 Dan Hounshell said:

    Wow, thanks Ben!

  • On 10 Jan 2009 Gary Woodfine said:

    Thanks Dan for providing a pointer to the solution, but more thanks to Ben for providing the solution. Tried your suggestion and it worked a charm.

    Keep up the good work1

  • On 3 Mar 2009 Matt Roberts said:

    Awesome - you saved my day :)

  • On 18 Mar 2009 Miral Popat said:

    thanks, it worked perfectly

    I created a new local user ccnet and logged in with that user and accepted the certificate

  • On 5 May 2009 tiax said:

    wow ben you really saved my night! after failing for long long hours i finally fixed it thanks to your code , at 5am :)

  • On 12 Sep 2009 Vitaly said:

    Dan Hounshell, thank you very much!

    You saved my time!

  • On 28 Sep 2009 CruiseControl / SVNBootstrapper: Server certificate verification failed: issuer not trusted « BibaBlog said:

    Pingback from  CruiseControl / SVNBootstrapper: Server certificate verification failed: issuer not trusted « BibaBlog