Cannot pull/push to https server with self-signed certificate
Brian Sullivan
bmsullivan at gmail.com
Thu Jan 6 12:31:43 CST 2011
This discussion actually started as a bug reported about TortoiseHG here:
https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self
I installed the latest version of TortoiseHg (1.1.8) on a new Windows
machine with no previous TortoiseHg or Mercurial installation. We're
running our shared Mercurial server on Windows Server 2008 R2 under IIS 7.5
with SSL using a self-signed certificate. Things have been running just
fine for other users at our company on previous versions of TortoiseHg.
When I try to push or pull from this new THg 1.1.8 machine, I get the
following error:
abort: error: _ssl.c:490: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Per the discussion linked to above, I tried to add my self-signed
certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem file
provided by TortoiseHg. I exported my self-signed cert from IIS in Base-64
encoded X.509 format, then downloaded that to my Mac and ran "openssl x509
-in hgcert.pem -text". I copied the text from "BEGIN CERTIFICATE" to "END
CERTIFICATE" and pasted that into my cacert.pem file. This doesn't seem to
solve the problem.
I am woefully ignorant when it comes to certificates, so I'm sure I'm
misunderstanding what's required here.
As mentioned in the TortoiseHg bug thread above, I can successfully push and
pull by adding the following to my hgrc:
[web]
cacerts=
However, this results in several ugly warning messages about skipping cert
verification that I'd rather not have to see if possible.
Can anybody help?
Brian Sullivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial/attachments/20110106/682de513/attachment.htm>
More information about the Mercurial
mailing list