Cannot pull/push to https server with self-signed certificate
Mads Kiilerich
mads at kiilerich.com
Fri Jan 7 17:22:38 CST 2011
On 01/07/2011 09:40 PM, Brian Sullivan wrote:
> On Fri, Jan 7, 2011 at 11:45 AM, Mads Kiilerich <mads at kiilerich.com
> <mailto:mads at kiilerich.com>> wrote:
>
> On 01/07/2011 03:43 AM, Brian Sullivan wrote:
>
> Mads,
>
> Thanks for the response!
>
> After reading your message, I performed the steps exactly as
> described
> on the Mercurial wiki page you linked to. I navigated to our
> repo site
> in Firefox and exported the certificate at the root of the hierarchy
> (there was actually only one in the tree). Once exported, I got the
> hash on my Mac using openssl and copied that into the cacert.pem
> file on
> my Windows VM. This still results in the same error when trying to
> perform a remote operation.
>
>
> Can you show us (or me) the certificates you exported? And also the
> full chain of the web server certificate as exported by Firefox?
>
> (Btw: The certificate is not (just) a hash but the wrapped
> base64-encoded DER-encoded X.509 ASN.1 structure which primarily
> contains a public RSA key.)
>
> /Mads
>
> Mads,
>
> This is what gets exported by Firefox. There's only one entry in the
> "Certificate Hierarchy" box, which has the name of my server in it. I
> clicked "Export..." and saved it as "X.509 Certificate with chain
> (PEM)". When I open up the file, I get this:
>
> -----BEGIN CERTIFICATE-----
anonymized
> -----END CERTIFICATE-----
>
> Which seems to be exactly what I've pasted into my cacert.pem file
> before. Does the fact that there's only one cert there tell you
> anything about what the problem might be?
Ok.
The "reason" is that your certificate is self-signed and contains
restrictions for X509v3 Key Usage: Key Encipherment, Data Encipherment.
Apparently, when x509 Key Usage is specified it must contain keyCertSign
if it is used as CA - and a self-signed certificate is used for both CA
and "encipherment". This is not something that is implemented in
Mercurial. It comes from OpenSSL as it is used by Python.
The "solution": Use another certificate that is more OpenSSL and/or
standard compliant.
[insert MS bashing and x.509 rant here]
The (apparently) same error can be reproduced in test-https.t by using
the following pub.pem, which extends the existing one with a
non-critical extension 2.5.29.15 id-ce-keyUsage with dataEncipherment
and keyEncipherment.
-----BEGIN CERTIFICATE-----
MIIBuDCCAWKgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo10wWzAdBgNVHQ4EFgQUE6sA+amm
r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADQQAwv0lc
HXW43y37476uQqApcxhxYhaR+33MeJnLNYTwNwdLtq2wcRScMh+qyUi4Ih7HJjiZ
W8FMY0hM4xLCLj0f
-----END CERTIFICATE-----
/Mads
How did I find out about this? I looked up and saw a
bright light and when I came to I had a scar on my forehead
and knew about X.500.
More information about the Mercurial
mailing list