This post is more of a reference for myself than anything else, but you might find it useful if you have run into security problems while trying to hook TeamCity to a Gitblit server that uses a self-signed certificate.
My team is slowly migrating to Gitblit from Subversion. We’re big on Continuous Integration, so we had to get TeamCity talking with our Gitblit server. This turned out to be a lot more painful than you might think. Gitblit installs with a self-signed certificate. While you should, in theory, be able to swap in a trusted cert purchased from a trusted authority, we were unable to get it to work. So, we are stuck with the self-signed cert. Not the end of the world, but not ideal.
Anyway, the next hurdle was getting TeamCity to communicate with Gitblit. Because we were using an untrusted certificate, we ran into the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
After a little digging and with some help from this post, I got things working.
First, export the certificate from Gitbit. The easiest way to do this is to navigate to your Gitblit site in Chrome, click the security icon by the URL, change the “Connection” tab, then click “Certificate information.”
This will open a Certificate details window. Change to the “Details” tab, then click “Copy to File” to save the certificate to your computer.
Next, open a Powershell prompt on your build server, and go to your TeamCity installation folder. For our build server, this was c:\TeamCity. In here you will have a “jre” folder where TeamCity installed the Java runtime it uses for hosting the web server and build agent. Copy the certificate you extracted from Gitblit to this same folder, then run the following command:
.\bin\keytool.exe -import -alias git.yourservername.com -file yourcertificate.cer -keystore lib\security\cacerts
When prompted for a password, enter ‘changeit”. Yep, that’s the default password. This will install the certificate into the cacerts keystore (note: if you get a permissions error, try granting your Windows account full permission to the file). After a restart, TeamCity should now be able to connect to your Gitblit server!