SCM Manager on a Mac with a Letsencrypt certificate

SCM Manager



SCM Manager (https://www.scm-manager.org) manages source code repositories. It support GIT, Mercurial and SVN. Whilst initial installation on OS X was simple there were a number of difficulties in getting to a best practice installation. In particular using external certificates from Lets Encrypt (https://letsencrypt.org) was non-trivial.

Installation



Installing the basic system on OS X using Homebrew (
https://brew.sh) is delightfully simple.

brew install scm-manager

and commence configuring from the web interface (http://
serverip:8080/).

By default the local configuration and repositories are placed in the ~/.scm directory of the installing user. Whilst sufficient one user systems this may not be ideal for organisations.

Getting SSL to work



Although there are instructions on the website (
https://bitbucket.org/sdorra/scm-manager/wiki/scm-server-ssl) these are insufficient for the Mac install and only show how to generate Self Signed certificates.

In particular the configuration file mentioned in the instructions is elusive when Homebrew is used to install SCM-Manager. For the current version it is located in:

/usr/local/Cellar/scm-manager/1.51/libexec/conf/server-config.xml

As per the instructions all that is needed is to uncomment the appropriate section of the configuration, set your passwords and generate the certificate. The following would be uncommented (PASSWORD would be replaced with the real password of course)


<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
<Set name="Port">8181</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="requestHeaderSize">16384</Set>
<Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="password">PASSWORD</Set>
<Set name="keyPassword">PASSWORD</Set>
<Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="trustPassword">PASSWORD</Set>
</New>
</Arg>
</Call>


Be aware that the path to the keystore is relative to the libexec directory.

If you want to use a non-self signed certificate, more work is required.

Non-Self Signed Certificates



Given that I have an existing Lets Encrypt certificate on this server I wanted to use if for SCM Manager too. With the help of a community help page on importing certificates for GlassFish (
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711?source_topic_id=34754) I created a script that runs about shortly after my renewal script giving me a working server.

To use the
SetSCMMgrCert.sh update the configuration items at the beginning of the script and have it run shortly after LetsEncrypt is renewed.

Conclusion



Using non-self signed certificates has significant advantages in removing annoying warning messages issued by SCM tools. With a little work SCM Manger can be persuaded to work with LetsEncrypt certificates.