Using a self-signed certificate to connect to a VCS server

Overview

This article describes how to make Upsource connect to a VCS server using a self-signed certificate.

 

Symptoms

When testing connection to the repository you might get the following error:

List remote refs failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

or

svn: E200015: Server SSL certificate for `https://my-svn-server:443` rejected

Most likely you are using a self-signed certificate that is not trusted by the Java virtual machine Upsource is running on.

 

Solution

You will need to import your custom certificate into JVM.

To import the certificate you exported into trust.keystore, run the following command:

keytool -import -alias my-vcs-server-host -keystore <Upsource_dir>internal/java/linux-x64/jre/lib/security/cacerts -file path-to-certificate-file

where my-vcs-server-host is an alias of your VCS server specified in the certificate and <Upsource_dir>internal/java/linux-x64/jre/lib/security/cacerts is the path to the cacerts file inside the Upsource distribution. On Windows it can be found at <Upsource_dir>internal/java/windows-amd64/jre/lib/security/cacerts. If you are running Upsource using your own JVM rather than the bundled one, you should specify the path correspondingly.

Note: the default keystore password of the bundled JVM is changeit

Under Windows it is also possible to install the certificate using a GUI program:

  1. Download and install Portecle on the server running Upsource. Portecle is a user-friendly GUI application for managing certificates.
  2. Select Examine SSL/TLS Connection under Examine menu.
  3. Enter the SSL Host and Port of your VCS server.
  4. In the newly opened window, click on PEM encoding and save the .pem file.
  5. On the main screen, click Open an existing keystore from disk icon and select the cacerts file.
  6. Click the Import a trusted certificate into the loaded keystore icon, select the .pem file that you obtained in step 4 and export it to cacerts.

After that, restart the Upsource server and check if it can connect to the repo.  

For more information please refer to the following Oracle article about self-signed certificates.

7 comments

Didn't help in my case. I am using certificate issued by my local CA (Win domain CA), and both (domain-root.crt and domain-intermediate.crt) are already imported in "system-wide CA keystore" (.../jre/lib/security/cacerts). And the import is successfull - other Java apps (JIRA, FishEye, SonarQube) are working like charm. But connecting Upsource to Bitbucket server (which is using the cert) is mission impossible.

It is important to say that FishEye, Bitbucket and Upsource are using the same JRE. Other two are validating SSL without problem, but Upsource fails. I know for sure that SSL validation is successfully performed by other two because without root and intermediate cert in system-wide store they are unable to communicate between one another.

Well, the question is why the same cert is OK for some apps, but not for other. Maybe Upsource enforces more strict rules? For example these days trusting root CA is not enough for Google Chrome - although cert's chain is trusted, it will annoyingly red-cross-over-warn that the cert is not OK, with explanation "The server did not supply any Certificate Transparency information." Is it possible that Upsource does such insane certificate checks?

Thanks!

(Btw: as all other JetBrains products - Upsource is great! Congs!)

0

Btw. Temporary resolved with SSH key.

0

Where does Upsource keep its trust store? what is its default password? How do we actually run this command without knowing this info?

 

 

0

If someone had problems with the command in linux, try this:

https://upsource-support.jetbrains.com/hc/en-us/requests/755184?page=1

It worked for me :)

0

Unfortunately, it not worked for me.

I performed as described, and while trying to "test connection" occurred another error:

 
Test VCS connection failed.
List remote refs failed: org.eclipse.jgit.errors.PackProtocolException: invalid advertisement of <!DOCTYPE html>
 
I download the certificate as X.509 64.
 
Any idea?
Edited by Gustavo Wagner
0

Works for me as written. Using Windows.

Thanks!

0

Worked for me using keytool on Windows Server 2016 with Upsource 2017.1 connecting to subversion. My certificate wasn't self-signed but still needed to be imported into the Upsource JVM.

0

Please sign in to leave a comment.

Have more questions?

Submit a request