Cannot pull/push to https server with self-signed certificate
bmsullivan at gmail.com
Thu Jan 6 20:43:58 CST 2011
Thanks for the response!
After reading your message, I performed the steps exactly as described on
the Mercurial wiki page you linked to. I navigated to our repo site in
Firefox and exported the certificate at the root of the hierarchy (there was
actually only one in the tree). Once exported, I got the hash on my Mac
using openssl and copied that into the cacert.pem file on my Windows VM.
This still results in the same error when trying to perform a remote
Could this have something to do with line endings, since I'm copying the
hash text from a Mac terminal window into my Windows text editor (GVim)? To
address that possibility, I joined the whole hash onto one line and entered
the carriage returns manually, but it didn't seem to have any effect. GVim
says the file is [unix], is that what it should be, even on a Windows
system? I'm grasping at straws, here.
I really appreciate your help. And I also appreciate the security concerns
of the Mercurial developers, and think they made the right decision for the
long run. I just hope the usability around using self-signed certs gets a
bit easier; I think some of my coworkers might have a difficult time with
this, even if I explained the steps to them. Keep in mind, these are guys
who would have used TFS if I hadn't convinced them otherwise. ;-)
On Thu, Jan 6, 2011 at 7:53 PM, Mads Kiilerich <mads at kiilerich.com> wrote:
> Brian Sullivan wrote, On 01/06/2011 07:31 PM:
> This discussion actually started as a bug reported about TortoiseHG here:
>> I installed the latest version of TortoiseHg (1.1.8) on a new Windows
>> machine with no previous TortoiseHg or Mercurial installation. We're
>> running our shared Mercurial server on Windows Server 2008 R2 under IIS 7.5
>> with SSL using a self-signed certificate. Things have been running just
>> fine for other users at our company on previous versions of TortoiseHg.
>> When I try to push or pull from this new THg 1.1.8 machine, I get the
>> following error:
>> abort: error: _ssl.c:490: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Yes. The windows installers started shipping with a cacerts file
> configured. That could be considered a convenient security improvement for
> some users, but it is a regression for those with self-signed certificates.
> Per the discussion linked to above, I tried to add my self-signed
>> certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem file
>> provided by TortoiseHg. I exported my self-signed cert from IIS in Base-64
>> encoded X.509 format, then downloaded that to my Mac and ran "openssl x509
>> -in hgcert.pem -text". I copied the text from "BEGIN CERTIFICATE" to "END
>> CERTIFICATE" and pasted that into my cacert.pem file. This doesn't seem to
>> solve the problem.
> If you export the certificate as base64 x.509 it should be in the right
> format. But I guess you are exporting the server certificate. You need the
> root/CA certificate.
> http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificatesmight give some hints.
>> I am woefully ignorant when it comes to certificates, so I'm sure I'm
>> misunderstanding what's required here.
>> As mentioned in the TortoiseHg bug thread above, I can successfully push
>> and pull by adding the following to my hgrc:
>> However, this results in several ugly warning messages about skipping cert
>> verification that I'd rather not have to see if possible.
> It is interesting how people seem to be more motivated by "I don't want to
> be told I'm insecure" than by "I don't want to be insecure". ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mercurial