Windows Server 2008 and Subversion over HTTPS

Here’s the scenario, I decided to try out Subversion as a source control repository on a Windows Server 2008 server, attached to a Win Server 2008 domain, with ISA Server forwarding HTTP traffic.  After doing a little bit of research, I decided to give VisualSVN Server a try.  If you don’t know it, it’s a very small footprint product produced by VisualSVN Limited, that installs Subversion and an Apache server, on Windows, to handle the HTTP connection to SVN (Subversion).

The product installed and configured very easily, ‘hats off’ to VisualSVN, and I was immediately able to connect to it from internal on my network.  There are a few self-explanatory questions that are posed in the installation wizard.  Tough things like where do you want to store your repositories. ;)  (If you’re going to use a file share as a repository, make sure that you use the UNC and not a mapped drive.)

websiteshot

I’m amazed that I’ve come across yet another tech product that is actually behaving as advertised.  Is it just me, or is that odd???

Not the fault of VisualSVN, I began to run into configuration issues when I tried to route the traffic through ISA Server.

Keep Reading…

[ad#Google Adsense-1]

I realized rather quickly, that ISA Server wasn’t going to allow me to forward SSL traffic to VisualSVN while it was using a self-signed cert.  The cert must have been generated by VisualSVN / Apache since the server is a member of the same domain and ISA accepts those certificates without warning.

Without going into all the running-around I had to do, I’ll cut to the solution real quick and dirty.

Do not attempt to generate a certificate using Certificate Services Web Enrollment.  The certificates private key will not be accepted when you try to import it into VisualSVN.  You’ll figure that out, after you track down how to convert a certificate from .cer / .der format into the .pem format which is what you’ll think the initial problem is.  By the way, if you do need to convert a certificate as such, you can use the command line tool below, available in the OpenSSL package.

>”%VISUALSVN_SERVER%binopenssl” x509 –inform der –in cert.cer –outform pem-out cert.pem

cert.cer represents your .cer certificate while cert.pem represents what you want to name the newly formatted certificate.

* make sure to keep the quotes intact in the command above *

If you’re not using VisualSVN, you’ll have to install the OpenSSL package and navigate to it yourself.  The command is still valid with the change in the path to your install directory.

Download OpenSSL for Windows here.

In VisualSVN, if you right click on your server, VisualSVN Server (Local), then click on Properties, you’ll see where you are able to generate a certificate request, create a self-signed certificate, and import a signed certificate.  Generate the request.

VSVN properties

Copy that request to a location that you can reach from your CA (Certificate Authority), and create a certificate based on that request.  If the system complains that your certificate doesn’t contain any template information, use the following commands from the command prompt run as ‘administrator’:

>certreq –submit –attrib “CertificateTemplate:WebServer” vSVNcert.req

vSVNcert.req represents the path and filename of the certificate request.

Again, make sure that you run the command prompt as ‘administrator’.  The system will open a few windows, the last of which will ask you where you want to save the approved, issued, and signed certificate.

You can then use the VisualSVN properties interface to replace the self-signed certificate with your newly created domain based cert.  In this case, I did not have to convert the .cer file to a .pem file.  Apparently when you get the cert right, the software helps you the rest of the way.

[ad#Google Adsense-1]

This should get you past the ISA issues with not recognizing a certificate as valid, and applies for many other SSL (private issued) cert complaints from ISA.  Of course, you could also load the OpenSSL root cert into the ISA trusted store, but I prefer to keep my certs managed in a single location if at all possible.

Also, make sure that ISA is set to allow authentication in the Authentication Delegation tab of your rule properties.  I had it set to ‘No delegation, but user may authenticate directly’.

With that, you should have a protected SVN implementation using Windows Server 2008, ISA Server on Windows Server 2003, and VisualSVN which so far seems like an excellent product.  Now all you have to do is figure out which Subversion client you want to use… and did I mention that VisualSVN produces a client that integrates well with Visual Studio .NET?  Unlike VisualSVN Server, the client isn’t free, but it is reasonable. 🙂

Now I’m almost set for Visual Studio 2010, and SharePoint 2010 development and play-time.  Oh and since it’s SVN, I’m thinking I can probably store my iPhone dev stuff on it as well…

UPDATED: Here’s a link to a post on 4 free SVN clients for MacOSX: http://www.giordanopiazza.com/blog/web-design/4-free-svn-clients-mac-osx/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s