Cannot pull/push to https server with self-signed certificate

Mads Kiilerich mads at kiilerich.com
Thu Jan 6 19:53:12 CST 2011 

Brian Sullivan wrote, On 01/06/2011 07:31 PM:
> This discussion actually started as a bug reported about TortoiseHG 
> here: 
> https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self 
>
>
> I installed the latest version of TortoiseHg (1.1.8) on a new Windows 
> machine with no previous TortoiseHg or Mercurial installation.  We're 
> running our shared Mercurial server on Windows Server 2008 R2 under 
> IIS 7.5 with SSL using a self-signed certificate.  Things have been 
> running just fine for other users at our company on previous versions 
> of TortoiseHg.
>
> When I try to push or pull from this new THg 1.1.8 machine, I get the 
> following error:
> abort: error: _ssl.c:490: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Yes. The windows installers started shipping with a cacerts file 
configured. That could be considered a convenient security improvement 
for some users, but it is a regression for those with self-signed 
certificates.

> Per the discussion linked to above, I tried to add my self-signed 
> certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem 
> file provided by TortoiseHg. I exported my self-signed cert from IIS 
> in Base-64 encoded X.509 format, then downloaded that to my Mac and 
> ran "openssl x509 -in hgcert.pem -text". I copied the text from "BEGIN 
> CERTIFICATE" to "END CERTIFICATE" and pasted that into my cacert.pem 
> file. This doesn't seem to solve the problem.

If you export the certificate as base64 x.509 it should be in the right 
format. But I guess you are exporting the server certificate. You need 
the root/CA certificate. 
http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates might 
give some hints.

>
> I am woefully ignorant when it comes to certificates, so I'm sure I'm 
> misunderstanding what's required here.
>
> As mentioned in the TortoiseHg bug thread above, I can successfully 
> push and pull by adding the following to my hgrc:
> [web]
> cacerts=
>
> However, this results in several ugly warning messages about skipping 
> cert verification that I'd rather not have to see if possible.

It is interesting how people seem to be more motivated by "I don't want 
to be told I'm insecure" than by "I don't want to be insecure". ;-)

/Mads

More information about the Mercurial mailing list