SSL Certificate Renewal for Project Hosting on Google Code

By Ben Collins-Sussman, Open Source Team

If you have open source projects hosted on Google Code, you may have noticed that the SSL certificate changed for the googlecode.com domain. (The old certificate expired, and a new one was generated.) In particular, your Subversion client may have yelled about the certificate not being recognized:

Error validating server certificate for
'https://projectname.googlecode.com:443':
- The certificate is not issued by a trusted authority. Use the
 fingerprint to validate the certificate manually!
Certificate information:
- Hostname: googlecode.com
- Valid: from Wed, 28 May 2008 16:48:13 GMT until Mon, 21 Jun 2010 14:09:43 GMT
- Issuer: Certification Services Division, Thawte Consulting cc, Cape
Town, Western Cape, ZA
- Fingerprint: b1:3a:d5:38:56:27:52:9f:ba:6c:70:1e:a9:ab:4a:1a:8b:da:ff:ec
(R)eject, accept (t)emporarily or accept (p)ermanently?

Just like a web browser, your Subversion client needs to know whether or not you trust particular SSL certificates coming from servers. You can verify the certificate using the fingerprint above, or you can choose to permanently accept the certificate, whichever makes you feel most comfortable. To permanently accept the certificate, you can simply choose the (p)ermanent option, and Subversion will trust it forever.

Thawte is a large certifying authority, and it's very likely that the OpenSSL libraries on your computer automatically trust any certificate signed by Thawte. However, if you want your Subversion client to inherit that same level of automatic trust, you'll need to set an option in your ~/.subversion/servers file:

[global]
ssl-trust-default-ca = true

If you set this option, then your client will never bug you again about any certificate signed by the "big" authorities.

Happy hacking!