Cannot pull/push to https server with self-signed certificate
Mads Kiilerich
mads at kiilerich.com
Thu Jan 6 19:53:12 CST 2011
Brian Sullivan wrote, On 01/06/2011 07:31 PM:
> This discussion actually started as a bug reported about TortoiseHG
> here:
> https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self
>
>
> I installed the latest version of TortoiseHg (1.1.8) on a new Windows
> machine with no previous TortoiseHg or Mercurial installation. We're
> running our shared Mercurial server on Windows Server 2008 R2 under
> IIS 7.5 with SSL using a self-signed certificate. Things have been
> running just fine for other users at our company on previous versions
> of TortoiseHg.
>
> When I try to push or pull from this new THg 1.1.8 machine, I get the
> following error:
> abort: error: _ssl.c:490: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Yes. The windows installers started shipping with a cacerts file
configured. That could be considered a convenient security improvement
for some users, but it is a regression for those with self-signed
certificates.
> Per the discussion linked to above, I tried to add my self-signed
> certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem
> file provided by TortoiseHg. I exported my self-signed cert from IIS
> in Base-64 encoded X.509 format, then downloaded that to my Mac and
> ran "openssl x509 -in hgcert.pem -text". I copied the text from "BEGIN
> CERTIFICATE" to "END CERTIFICATE" and pasted that into my cacert.pem
> file. This doesn't seem to solve the problem.
If you export the certificate as base64 x.509 it should be in the right
format. But I guess you are exporting the server certificate. You need
the root/CA certificate.
http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates might
give some hints.
>
> I am woefully ignorant when it comes to certificates, so I'm sure I'm
> misunderstanding what's required here.
>
> As mentioned in the TortoiseHg bug thread above, I can successfully
> push and pull by adding the following to my hgrc:
> [web]
> cacerts=
>
> However, this results in several ugly warning messages about skipping
> cert verification that I'd rather not have to see if possible.
It is interesting how people seem to be more motivated by "I don't want
to be told I'm insecure" than by "I don't want to be insecure". ;-)
/Mads
More information about the Mercurial
mailing list