Cannot pull/push to https server with self-signed certificate

Mads Kiilerich mads at kiilerich.com
Fri Jan 7 17:22:38 CST 2011 

On 01/07/2011 09:40 PM, Brian Sullivan wrote:
> On Fri, Jan 7, 2011 at 11:45 AM, Mads Kiilerich <mads at kiilerich.com
> <mailto:mads at kiilerich.com>> wrote:
>
>     On 01/07/2011 03:43 AM, Brian Sullivan wrote:
>
>         Mads,
>
>         Thanks for the response!
>
>         After reading your message, I performed the steps exactly as
>         described
>         on the Mercurial wiki page you linked to.  I navigated to our
>         repo site
>         in Firefox and exported the certificate at the root of the hierarchy
>         (there was actually only one in the tree).  Once exported, I got the
>         hash on my Mac using openssl and copied that into the cacert.pem
>         file on
>         my Windows VM.  This still results in the same error when trying to
>         perform a remote operation.
>
>
>     Can you show us (or me) the certificates you exported? And also the
>     full chain of the web server certificate as exported by Firefox?
>
>     (Btw: The certificate is not (just) a hash but the wrapped
>     base64-encoded DER-encoded X.509 ASN.1 structure which primarily
>     contains a public RSA key.)
>
>     /Mads
>
> Mads,
>
> This is what gets exported by Firefox.  There's only one entry in the
> "Certificate Hierarchy" box, which has the name of my server in it.  I
> clicked "Export..." and saved it as "X.509 Certificate with chain
> (PEM)".  When I open up the file, I get this:
>
> -----BEGIN CERTIFICATE-----
anonymized
> -----END CERTIFICATE-----
>
> Which seems to be exactly what I've pasted into my cacert.pem file
> before.  Does the fact that there's only one cert there tell you
> anything about what the problem might be?

Ok.

The "reason" is that your certificate is self-signed and contains 
restrictions for X509v3 Key Usage: Key Encipherment, Data Encipherment.

Apparently, when x509 Key Usage is specified it must contain keyCertSign 
if it is used as CA - and a self-signed certificate is used for both CA 
and "encipherment". This is not something that is implemented in 
Mercurial. It comes from OpenSSL as it is used by Python.

The "solution": Use another certificate that is more OpenSSL and/or 
standard compliant.

[insert MS bashing and x.509 rant here]

The (apparently) same error can be reproduced in test-https.t by using 
the following pub.pem, which extends the existing one with a 
non-critical extension 2.5.29.15 id-ce-keyUsage with dataEncipherment 
and keyEncipherment.

-----BEGIN CERTIFICATE-----
MIIBuDCCAWKgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo10wWzAdBgNVHQ4EFgQUE6sA+amm
r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADQQAwv0lc
HXW43y37476uQqApcxhxYhaR+33MeJnLNYTwNwdLtq2wcRScMh+qyUi4Ih7HJjiZ
W8FMY0hM4xLCLj0f
-----END CERTIFICATE-----

/Mads
             How did I find out about this?  I looked up and saw a
             bright light and when I came to I had a scar on my forehead
             and knew about X.500.

More information about the Mercurial mailing list