No way to trust a custom CA on https URL

Issue #437 resolved
lukhas created an issue

Hello, while attempting to clone an existing hg repo via https, I get the following error in the application logs (traceback not pasted):

{{{ URLError: <urlopen error [Errno 1] _ssl.c:490: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol> }}}

The cause is most likely to be the custom CA we use to sign every internal certificate. I have found no way to specify an additional CA to trust in rhodecode or in the underlying urllib2.

Is there a workaround for this problem, beside using a non-https URL?

Comments (11)

  1. Marcin Kuzminski repo owner

    This is little unclear to me.

    Hmm you're saying about remote-repos ? Or in general cloning from command line and rhodecode ?

  2. lukhas reporter

    Sorry, I was in a hurry to report the issue before leaving, I'll post the complete traceback and a bit more details this Monday, once I get my hands back on all the details.

    Regards, lukhas.

  3. Marcin Kuzminski repo owner

    RhodeCode doesn't have support for global .hgrc files but it has a DB equivalent in rhodecode_ui table. SO solution can be to add the proper entry there (structure is similar to the .hgrc file) section|key|value

  4. lukhas reporter

    Hello, a bit more details, at last.

    This error happens when we try to clone a remote repo (behind SSL with a custom CA) from rhodecode, even if the repo is on the same server. It is not happening when cloning from command line, because we have the custom CA stored in the global hgrc config file:

    cacerts = /etc/ssl/certs/CA-custom.pem

    Could you give us a bit more info about how to store the same info into the rhodecode_ui table?

    Cheers, Lucas.

  5. Marcin Kuzminski repo owner

    Something like this:

    INSERT INTO rhodecode_ui(ui_section, ui_key, ui_value, ui_active) VALUES ('web', 'cacerts', '/etc/ssl/certs/CA-custom.pem', TRUE);


  6. lukhas reporter

    I tried inserting this line (with the proper path), and restarting rhodecode, same error :( However, since the restart, it now takes several seconds to return the error, while it was instantaneous before that. Not sure if that's helpful...

  7. Zach Auclair

    This is a client side issue; the trusted certificates of the server you're connecting to must be in place on the client for both git and hg...

  8. Wolfgang Baron

    I don't find this issue to be so minor. We only serve our repositories over https using self signed certificates, so we cannot update between repositories even on the same server, or is there a trick around that?

  9. Bryan Harclerode

    Does it work if you put the appropriate configuration lines in /etc/mercurial/hgrc ? I know Rhodecode ignores the user config (~/.hgrc), but it might still respect the system-wide config.

  10. Log in to comment