Monday, 1 December 2008

Ubuntu 8.10 subversion ssl library changed...

For all you around the globe which just upgraded their machine or installed a new fresh and shiny Ubuntu 8.10, but still has got some OpenSSL powered pkcs12 certificate. As the linux folks decided to go for GnuTLS instead of OpenSSL, they also mapped subversion against the libraries, which suddenly does not make your personal certificate work anymore, leading to errors like ``GnuTLS internal error'' (duh, why not give out a proper error message).

As hacking is not my favorite part in did not compile it manually to get it to work again, as some others did. Instead I will stick to the more constructive approach, e.g. converting your certificate to the proper style.


# Make sure openssl is installed
$ sudo apt-get install openssl

# Make our certificate conversion hidden for any other (potentially evil) user
$ mkdir convert-cert && chmod 0700 convert-cert
$ cd convert-cert
#
$ cp ~/.subversion/rick.p12 original.pk12
# Next extract certificate and key
$ openssl pkcs12 -nodes -nokeys -in original.pk12 -out temp.crt
$ openssl pkcs12 -nodes -nocerts -in original.pk12 -out temp.key
# Create new cerficate
$ certtool --load-certificate temp.crt --load-privkey temp.key --to-p12 --outder --outfile new-cert.pk12
#
$ mv new-cert.pk12 ~/.subversion/rick-gnutls.p12
# Secure whipe working directory
$ shred temp.key
$ cd .. && rm -Rd convert-cert

3 comments:

  1. Works like a charm, thnx :)

    ReplyDelete
  2. Thanks, this has probably saved me a lot of headache.

    ReplyDelete
  3. I had to perform one additional step. Before generating the new cert with certtool, I edited the .crt file and removed the certificate for the CA.

    ReplyDelete