gusdpr

I contacted Plastic support and they helped me to resolve the problem. Quoting Manuel from Codice software: "I think the issue is because the local Plastic SCM server is trying to automatically install the remote server certificate. This is only possible if you are the local 'Plastic SCM Server root' which is the repository server owner. It's always a good idea to change the default repository server owner to yourself if you are working distributed so you will have full control of your repository data. In order to do it: open the repositories view, right click in any of your local repositories and select "Repository server permissions", at the ACL dialog change the owner to yourself. After doing that retry the replication operation." To create your self-signed certificate follow the following instructions: http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ Then to convert the crt file generated from the instructions above to a pfx follow the next steps: http://www.networkinghowtos.com/howto/convert-certificate-file-from-crt-to-pfx-using-openssl/ All the instructions use OpenSSL and I confirm they work Hopefully this helps everyone who had this issue before. Thanks Plastic staff! Gus

Hi Plastic SCM staff, Carlos, I started this topic a while ago, now that I finally I decided to pay my own Plastic monthly subscription I tried to do exactly the same thing as described in my first post. Unfortunately this problem persists! Using sync replication doesn't work with self signed certificates. However, creating a workspace by setting the "WorkspaceServer" in client.conf to point to the server by using ssl:// and port 8088 works perfectly fine, this shows the ssl connection is done successfully using this mode. Unfortunately this is not optimal for me and my team since we work in distributed mode (not centralized) so we need the replication functionality working with an encrypted connection and a self-signed certificate. The error that is shown in the sync replication window says "Error: Only the server administrator can accept a certificate on the server", this is shown after I try to replicate and a pop-up window says if I want to accept the certificate, pressing "Yes" shows the error (running Plastic with Administrator privileged makes no difference at all on Windows 7). The error makes no sense after trying with administrator access. Here is the server error log, it shows the real problem, the certificate was rejected because is not signed by a CA authority: 2015-07-17 21:13:57,301 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at MY-PC INFO Channel - The certificate 1873BLAH has been rejected by the user 2015-07-17 21:13:57,301 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at MY-PC INFO Channel - Rejected certificate validation info: Sender: System.Net.Security.SslStream Certificate: SHA1: 1873BLAH MD5: 790MEH Subject: CN=aaa.ccc.com, O=theserver, S=CA, C=US Issuer: CN=aaa.ccc.com, O=theserver, S=CA, C=US Expiration: 11/18/2018 12:43:06 AM Version: 3 Chain: Policy: Revocation mode: NoCheck Revocation flags: ExcludeRoot Verification flags: NoFlag Verification time: 7/17/2015 9:13:57 PM Status lenght: 1 * Status: UntrustedRoot SslPolicyErrors: RemoteCertificateChainErrors 2015-07-17 21:13:57,301 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at MY-PC ERROR Operations - OnError catching exception [An error occurred processing the request. No more information is available. Please, check the logs to get more information.] - Plastic server version: 5.4.16.666 2015-07-17 21:13:57,301 NT AUTHORITY\SYSTEM at ERROR ExceptionTracerSink - Dumping in-transit exception:An error occurred processing the request. No more information is available. Please, check the logs to get more information. 2015-07-17 21:13:57,301 NT AUTHORITY\SYSTEM at INFO ChannelCall - recb: 1419|rect: 0|sentb: 3557|sendt: 0|prt: 32|th: 16|dest: 0|mt: 32|sert: 0|zip: 0| 10.0.0.169|GetReplicationSyncStatus 2015-07-17 21:13:58,970 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at MY-PC ERROR Operations - OnError catching exception [Only the server administrator can accept a certificate on the server.] - Plastic server version: 5.4.16.666 2015-07-17 21:13:58,970 NT AUTHORITY\SYSTEM at ERROR ExceptionTracerSink - Dumping in-transit exception:Only the server administrator can accept a certificate on the server. Further more, adding the self signed certificate as a CA and in the Plastic Client certificate folders using certmgr has absolutely no effect in this case, the same pop-up window is shown asking if I want to install the certificate and pressing yes makes the error happen on all cases. Please see the attached screenshots of the issue showing the error and another one showing using a non-distributed (centralized connection) workspace works without issues. This shows there is a possible bug in the sync replication functionality which has not been solved yet. Please fix this problem, it's been quite a while since this was reported . I'm using Plastic 5.4.16.666 - Barcelona at the moment. Regards, Gus

Carlos or other Plastic staff, we really need help here. I really like a lot using Plastic but setting up a secure connection with a DVCS environment has turned into an endless circle (please see the above comments). Looking into the web shows only outdated documentation and no clear steps on how to do this with a DVCS. Please advice. Regards, Gus

Hi all, I have tried using the newest Plastic SCM 5.4.16.619 (Nottingham) to see if this issue was solved. I still experience the same problem, however the server is a little more loud this time as well as the UI. These are the logs from both sides: Local server: 2014-11-08 16:37:40,703 00000000-0000-0000-0000-000000000000 NT AUTHORITY\SYSTEM at GUS-PC ERROR Operations - OnError catching exception The authentication or decryption has failed.: zzz.yyy.com:8088. Internal: Channel SSL UI is not initialized Remote server: 2014-11-08 16:35:44,335 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - conn 268. Authentication failed because the remote party has closed the transport stream. Carlos, can we get some help to figure out what does "SSL UI" means for Plastic? Thanks, Gus

Hi Sam, thanks for sharing. Now I don't feel alone Here you have the steps I did to create my certificate using openssl, it works without a problem (look at the end of the thread). See David's response on the same thread where he clearly says the current instructions are supposedly to be obsolete to favor using pfx files instead: http://www.plasticscm.net/index.php?/topic/741-ssl-certificate-issues/?hl=openssl#entry3719 Do not follow the guide that was shared to you on your other thread to create the certificate, it just doesn't work creating it with the .NET SDK. I already tried myself, use openssl.

Good day Plastic SCM staff, I have a problem regarding replicating two repositories using a SSL connection with Plastic SCM 5.0.44.600. Both repositories are in two different PCs running windows on my same network. One of the PC is the central server, it has a self signed certificate that has provent to work correctly since I have tested the following works fine: + Creating a workspace with SSL connection on the server itself (on a localhost SSL connection using the server's name per the certificate) + Direct client to server workspace using SSL connection (no local client repository involved). I can navigate the remote repository branches with the secure connection. Certificate installed properly when attempting to connect. So I know I don't have problems communicating securely with the server with those configurations. However the problem arises when I try to create a repository on the client and then replicate what's inside the server's repository using a secure connection. I get the following error in the UI panel when I try to replicate: "Error: The authentication or decryption has failed: myserver.yyy.zzz:8088" Changing the server's address with port 8087 works without issue. So I'm suspecting there is a bug or configuration issue somewhere. Can you help me to figure out what's wrong? Unfortunately there is no documentation on how to setup the configuration I'm working on. You really need to work on creating much more accurate information I needed to read multiple forums to get this working, existing documentation is very old and doesn't help much with more complex scenarios (like using and generating pfx files with plastic, what to do with the certificate on the clients, etc). * More info My workspace selector on the client (which works without a problem): repository "remote_repo@ssl://myserver.yyy.zzz:8088" Regards, Gus