SSL Certificate Renewal for Project Hosting on Google Code
By Ben
Collins-Sussman, Open Source TeamIf you have open source
projects hosted on Google Code, you may have noticed that the SSL certificate changed for the
googlecode.com domain. (The old certificate expired, and a new one was generated.) In
particular, your
Subversion client may
have yelled about the certificate not being recognized:
Error validating server
certificate for
'https://projectname.googlecode.com:443':
- The
certificate is not issued by a trusted authority. Use the
fingerprint to validate
the certificate manually!
Certificate information:
- Hostname:
googlecode.com
- Valid: from Wed, 28 May 2008 16:48:13 GMT until Mon, 21 Jun 2010
14:09:43 GMT
- Issuer: Certification Services Division, Thawte Consulting cc,
Cape
Town, Western Cape, ZA
- Fingerprint:
b1:3a:d5:38:56:27:52:9f:ba:6c:70:1e:a9:ab:4a:1a:8b:da:ff:ec
(R)eject, accept
(t)emporarily or accept (p)ermanently?Just like a web browser, your Subversion
client needs to know whether or not you trust particular SSL certificates coming from servers.
You can verify the certificate using the fingerprint above, or you can choose to permanently
accept the certificate, whichever makes you feel most comfortable. To permanently accept the
certificate, you can simply choose the
(p)ermanent option, and Subversion
will trust it forever.
Thawte is a large certifying authority, and it's
very likely that the OpenSSL libraries on your computer automatically trust any certificate
signed by Thawte. However, if you want your Subversion client to inherit that same level of
automatic trust, you'll need to set an option in your
~/.subversion/servers file:
[global]
ssl-trust-default-ca = true
If you set this option, then your client will
never bug you again about any certificate signed by the "big" authorities.
Happy hacking!
