Saturday, August 27, 2011

How to ignore self-signed ssl certificate verification in maven svn scm


I was trying to prepare a release for a maven project with the command
mvn release:prepare but the maven scm plugin could not commit the updated pom file because the certificate is self-signed.
 
My setup is Window 7, Collabnet SVN Client 1.6.6, Maven 2.2.1 but the solution is not specific to Windows or collabnet svn client.


...
[INFO] Checking in modified POMs...
[INFO] Executing: cmd.exe /X /C "svn --non-interactive commit --file C:\Users\myname\AppData\Local\Temp\maven-scm-1429998188.commit --targets C:\Users\myname\AppData\Local\Temp\maven-scm-1933937231031554007-targets"
[INFO] Working directory: G:\Projects\my-project\
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Unable to commit files
Provider message:
The svn command failed.
Command output:
svn: Commit failed (details follow):
svn: OPTIONS of 'https://svn.mysite.com/my-project/trunk/': Server certificate verification failed: issuer is not trusted (https://svn.mysite.com)
...

...read on to see how to get around this problem...




I tried to accept the certificate permanently through the command line but it was not being saved. I tried to install the certificate in Windows 7 as a trusted cert but that was not working as well.

After looking at the maven release plugin, I finally ran into the maven subversion page which talks about a configurable option called trustServerCert . 


The Fix: Configure maven to ignore self-signed ssl certificates for svn
  1. Update your pom.xml to use maven-release-plugin 2.2 or later. I used 2.2.1 as the latest at the time of this post.

       <build>
        <plugins>
          <plugin>
            <artifactId>maven-release-plugin</artifactId>
            <version>2.2.1</version>
          </plugin>
        </plugins>
      </build>

  2. Create a file called svn-settings.xml in your user directory (e.g: C:\Users\YourUsername\.scm\svn-settings.xml) with the following content:

    <svn-settings>
      <trustServerCert>true</trustServerCert>
    </svn-settings>

 If you run the mvn release:prepare again, you will no longer get the certificate verification error. You can see in the logs that maven adds the --trust-server-cert option to the svn commit command:

[INFO] Checking in modified POMs...
[INFO] Executing: cmd.exe /X /C "svn --non-interactive --trust-server-cert commit --file C:\Users\myname\AppData\Local\Temp\maven-scm-1453525805.commit --target
s C:\Users\myname\AppData\Local\Temp\maven-scm-2257909719268507538-targets"
[INFO] Working directory: G:\Projects\my-project\
[INFO] Release preparation complete.

If you want to configure hudson/jenkins, the only change is to copy the svn-settings file under your hudson/jenkins directory (e.g. c:\hudson\.scm\svn-settings.xml)

Let me know how this works for you. Happy coding!

8 comments:

  1. Hey ran into the same issue.. it does not work for me. Tried every possible option btw, it is for the hudson user else I could have accepted it permanently by hand. let me know if you have any other ideas

    ReplyDelete
  2. I would just make sure you are using the correct version of the maven plugin: 2.2.1 or later
    Run mvn release:prepare -X to see what version of maven release plugin is used by maven. In the debug you might also be able to see the home directory maven uses.

    If you are using windows, you can try putting the .scm folder under c:\. If your hudson runs with system privileges in Windows, c:\ might be the default user directory.

    Let me know how it goes.

    ReplyDelete
  3. yes I verified and it is 2.2.1. I am using unix and I have .scm/svn-settings.xml under my hudson home directory.

    I wish I have the passwd for hudson user, not sure what else I can do now. Please let me know if there is anything else you could think of

    ReplyDelete
  4. You need to make sure that your configuration is in the right directory. Try changing the finalName of the project to ${user.home} and then run "mvn package" in hudson and look at the logs to see what directory maven uses. That's the directory where you need to put the .scm folder.


    ...
    -${user.home}-
    ...



    I would also run "mvn release:prepare -X" again from hudson and check the configuration of the maven scm plugin. See if the username argument is configured to some user other than hudson.

    You can also try to create a new profile in your project that overrides the user.home property and then enable that profile when you configure your maven job in hudson. For example, if you call the profile release-profile, you can enable it like so:
    mvn release:prepare release:perform -P release-profile

    ReplyDelete
  5. Hey Ed,

    Thanks for your suggestions.

    I fixed it now by copying .subversion/auth directory from my home directory to hudson user home directory. As I have permanently accepted the svn cert on my account, which is captured under .subversion, copying made it work.

    Vamsi

    ReplyDelete
  6. It's also worth noting that you may see this issue if you're running maven 3.0.4. I swapped over to a maven 2.2.1 installation and everything was fine.

    ReplyDelete