SQL Source Control received an invalid HTTPS certificate

[jbernardini]

My svn server uses SSL signed by an internal CA. If you browse svn via a browser you don't get any messages. However, when I try to link a database to a repository on this svn server I receive the following:

SQL Source Control received an invalid HTTPS certificate while connecting to your source control system.

It was invalid in the following ways:
- It was not issued by someone that you trust, or it has been revoked

This could mean that a hacker is impersonating your source control system. If you were expecting this error to occur, or if your system administrator tells you that is is safe to do so, then press OK. Otherwise please press Cancel.

[DavidSimner]

The error message from SQL Source Control means that it does not trust the SSL certificate that your Subversion server uses. Given the circumstances you describe ("signed by an internal CA") I would guess that this is because SQL Source Control doesn't know that your internal CA should be trusted.

Can I ask what web browser it works fine in?

SQL Source Control should trust all the SSL certificates that Internet Explorer trusts, so if the answer is Internet Explorer, then this is an unknown bug, and I'd very much like to work with you to understand and fix what is causing it to go wrong.

If the answer is not Internet Explorer (e.g. Firefox, Chrome, Safari, etc), then unfortunately at this time, SQL Source Control does not trust all the SSL certificates that they trust, and so I would expect the behaviour that you observed to occur. As a workaround, until we've fixed this, you can either: (1) click the OK button, or (2) configure Internet Explorer to trust your internal CA's SSL certificate.

Looking forward to hearing from you,

David

[jbernardini]

Hi David, it shows trusted in IE and Firefox. Since Firefox is excluded for now and it should be trusted, since IE trusts the site and you can validate the Certificate Path I'm very interested in working with you. I'm hesitant to click the OK button for fear of never being able to reproduce it.
Just let me know how you'd like to tackle this.

[DavidSimner]

So the thing that would be easiest for me is if I could reproduce your problem here. Would you be able to send me a copy of all of the HTTPS certificates in the chain? This will enable me to create a very similar certificate chain here, and easily debug the issue.

The following instructions will let you save the HTTPS certificate chain from Firefox 3.6.3, but hopefully they should be fairly similar for other versions:

1. Connect to the relevant server, e.g. by putting https://server/ in the address bar, and pressing enter.
2. After the page has loaded, right-click somewhere on the page.
3. Left-click the View Page Info menu item.
4. Left-click the Security tab.
5. Left-click the View Certificate button.
6. Left-click the Details tab.
7. For each one of the certificates in the Certificate Hierarchy, left-click on it to select it, and then click the Export button; the default file name should be fine, so just click the Save button.

You should now have several files, one for each one of the certificates in the Certificate Hierarchy.

If you could email me all of the files, david.simner@red-gate.com, that would be awesome :)

[jbernardini]

I have sent you an email with the requested items attached. Please let me know if you don't receive it.

[jbernardini]

I resolved this issue by adjusting a file installed with SQL Source Control. I exported our CA certificate from the Certificate manager in pem format and saved it to my c drive. I then modified the file, %APPDATA%\Subversion\servers, adjusting parameter: ssl-authority-files to read: ssl-authority-files = c:\ca.pem