Cannot pull/push to https server with self-signed certificate

Brian Sullivan bmsullivan at gmail.com
Thu Jan 6 20:43:58 CST 2011


Mads,

Thanks for the response!

After reading your message, I performed the steps exactly as described on
the Mercurial wiki page you linked to.  I navigated to our repo site in
Firefox and exported the certificate at the root of the hierarchy (there was
actually only one in the tree).  Once exported, I got the hash on my Mac
using openssl and copied that into the cacert.pem file on my Windows VM.
 This still results in the same error when trying to perform a remote
operation.

Could this have something to do with line endings, since I'm copying the
hash text from a Mac terminal window into my Windows text editor (GVim)?  To
address that possibility, I joined the whole hash onto one line and entered
the carriage returns manually, but it didn't seem to have any effect.  GVim
says the file is [unix], is that what it should be, even on a Windows
system?  I'm grasping at straws, here.

I really appreciate your help.  And I also appreciate the security concerns
of the Mercurial developers, and think they made the right decision for the
long run.  I just hope the usability around using self-signed certs gets a
bit easier; I think some of my coworkers might have a difficult time with
this, even if I explained the steps to them.  Keep in mind, these are guys
who would have used TFS if I hadn't convinced them otherwise. ;-)

Brian

On Thu, Jan 6, 2011 at 7:53 PM, Mads Kiilerich <mads at kiilerich.com> wrote:

> Brian Sullivan wrote, On 01/06/2011 07:31 PM:
>
>  This discussion actually started as a bug reported about TortoiseHG here:
>> https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self
>>
>> I installed the latest version of TortoiseHg (1.1.8) on a new Windows
>> machine with no previous TortoiseHg or Mercurial installation.  We're
>> running our shared Mercurial server on Windows Server 2008 R2 under IIS 7.5
>> with SSL using a self-signed certificate.  Things have been running just
>> fine for other users at our company on previous versions of TortoiseHg.
>>
>> When I try to push or pull from this new THg 1.1.8 machine, I get the
>> following error:
>> abort: error: _ssl.c:490: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>
> Yes. The windows installers started shipping with a cacerts file
> configured. That could be considered a convenient security improvement for
> some users, but it is a regression for those with self-signed certificates.
>
>
>  Per the discussion linked to above, I tried to add my self-signed
>> certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem file
>> provided by TortoiseHg. I exported my self-signed cert from IIS in Base-64
>> encoded X.509 format, then downloaded that to my Mac and ran "openssl x509
>> -in hgcert.pem -text". I copied the text from "BEGIN CERTIFICATE" to "END
>> CERTIFICATE" and pasted that into my cacert.pem file. This doesn't seem to
>> solve the problem.
>>
>
> If you export the certificate as base64 x.509 it should be in the right
> format. But I guess you are exporting the server certificate. You need the
> root/CA certificate.
> http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificatesmight give some hints.
>
>
>
>> I am woefully ignorant when it comes to certificates, so I'm sure I'm
>> misunderstanding what's required here.
>>
>> As mentioned in the TortoiseHg bug thread above, I can successfully push
>> and pull by adding the following to my hgrc:
>> [web]
>> cacerts=
>>
>> However, this results in several ugly warning messages about skipping cert
>> verification that I'd rather not have to see if possible.
>>
>
> It is interesting how people seem to be more motivated by "I don't want to
> be told I'm insecure" than by "I don't want to be insecure". ;-)
>
> /Mads
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial/attachments/20110106/5533c931/attachment.htm>


More information about the Mercurial mailing list