Cannot pull/push to https server with self-signed certificate

Brian Sullivan bmsullivan at gmail.com
Fri Jan 7 18:25:00 CST 2011 

On Fri, Jan 7, 2011 at 5:22 PM, Mads Kiilerich <mads at kiilerich.com> wrote:

> On 01/07/2011 09:40 PM, Brian Sullivan wrote:
>
>> On Fri, Jan 7, 2011 at 11:45 AM, Mads Kiilerich <mads at kiilerich.com
>> <mailto:mads at kiilerich.com>> wrote:
>>
>>    On 01/07/2011 03:43 AM, Brian Sullivan wrote:
>>
>>        Mads,
>>
>>        Thanks for the response!
>>
>>        After reading your message, I performed the steps exactly as
>>        described
>>        on the Mercurial wiki page you linked to.  I navigated to our
>>        repo site
>>        in Firefox and exported the certificate at the root of the
>> hierarchy
>>        (there was actually only one in the tree).  Once exported, I got
>> the
>>        hash on my Mac using openssl and copied that into the cacert.pem
>>        file on
>>        my Windows VM.  This still results in the same error when trying to
>>        perform a remote operation.
>>
>>
>>    Can you show us (or me) the certificates you exported? And also the
>>    full chain of the web server certificate as exported by Firefox?
>>
>>    (Btw: The certificate is not (just) a hash but the wrapped
>>    base64-encoded DER-encoded X.509 ASN.1 structure which primarily
>>    contains a public RSA key.)
>>
>>    /Mads
>>
>> Mads,
>>
>> This is what gets exported by Firefox.  There's only one entry in the
>> "Certificate Hierarchy" box, which has the name of my server in it.  I
>> clicked "Export..." and saved it as "X.509 Certificate with chain
>> (PEM)".  When I open up the file, I get this:
>>
>> -----BEGIN CERTIFICATE-----
>>
> anonymized
>
>  -----END CERTIFICATE-----
>>
>> Which seems to be exactly what I've pasted into my cacert.pem file
>> before.  Does the fact that there's only one cert there tell you
>> anything about what the problem might be?
>>
>
> Ok.
>
> The "reason" is that your certificate is self-signed and contains
> restrictions for X509v3 Key Usage: Key Encipherment, Data Encipherment.
>
> Apparently, when x509 Key Usage is specified it must contain keyCertSign if
> it is used as CA - and a self-signed certificate is used for both CA and
> "encipherment". This is not something that is implemented in Mercurial. It
> comes from OpenSSL as it is used by Python.
>
> The "solution": Use another certificate that is more OpenSSL and/or
> standard compliant.
>
> [insert MS bashing and x.509 rant here]
>
> The (apparently) same error can be reproduced in test-https.t by using the
> following pub.pem, which extends the existing one with a non-critical
> extension 2.5.29.15 id-ce-keyUsage with dataEncipherment and
> keyEncipherment.
>
> -----BEGIN CERTIFICATE-----
> MIIBuDCCAWKgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo10wWzAdBgNVHQ4EFgQUE6sA+amm
> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
> DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADQQAwv0lc
> HXW43y37476uQqApcxhxYhaR+33MeJnLNYTwNwdLtq2wcRScMh+qyUi4Ih7HJjiZ
> W8FMY0hM4xLCLj0f
> -----END CERTIFICATE-----
>
> /Mads
>            How did I find out about this?  I looked up and saw a
>            bright light and when I came to I had a scar on my forehead
>            and knew about X.500.
>

Mads, Steve, et. al.,

Using the power of the intarwebs, I figured out how to use openssl to
generate a key and certificate on my Mac, sign the cert, combine them into a
.pfx file, import that cert into IIS, and assign it to the repo site, and
copy the new cert into my cacerts.pem file.  Whew!  After all that, though,
it works like a charm!

For openssl newbs like me who might be reading this, here are the sites I
found my info on:

Creating a private key and cert:
http://www.akadia.com/services/ssh_test_certificate.html (note: you don't
have to remove the password if you're using IIS like I am)
Combining key and cert into a pfx file:
http://www.digicert.com/ssl-support/apache-ssl-export.htm


Hopefully this will help some others who run into this problem.

Thanks for all of your help, guys!

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial/attachments/20110107/95a73a06/attachment.htm>

More information about the Mercurial mailing list