pretxnchangegroup.scm hook failed when pushing - no proxy used

Issue #750 new
Anonymous created an issue

I'm getting problems when pushing files to the web repository using TortoiseHg. My set-up of the SCM-Manager is the following: Windows 2008 server R2 Jetty configured to serve with https Python 2.7.10 Mercurial 3.4.2 No proxy configured/needed

When I try to push files I get pretxnchangegroup.scm hook failed on the server side and "<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>transaction abort!" on the client side (tortoiseHg).

Comments (3)

  1. Andrey

    As a temporary workaround I comment in "hgrc":

    [hooks]
    #changegroup.scm = python:scmhooks.callback
    #pretxnchangegroup.scm = python:scmhooks.callback
    

    But it is not a fix a problem.

  2. James Bromberger

    I see this same error message, and have done withSCM Manager 1.4x and 1.5x (including current 1.51 release). No meaning-full server side logs, client is Mercuial, server side is mercurial on Linux (RedHat). Client side says:

    pushing to https://server:port/scm/hg/ProjectRepo searching for changes
    remote: adding changesets
    remote: adding manifests
    remote: adding file changes
    remote: added 1 changesets with 5 changes to 5 files
    remote: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
    remote: transaction abort!
    remote: rollback completed
    remote: pretxnchangegroup.scm hook failed
    abort: push failed on remote

    The server has an SSL certificate; and it appears that Jetty just doesn't read from the JKS to get the CA cert that issued it. The solution appears to be to restart or reload SCM-Manager multiple times until it works - which feels like a race condition between defining the HTTPS listener, and reading the JKS file for the CA public cert that issued the site SSL certificate.

  3. Frank Hofmann

    Same issue with scm-server 1.6 and mercurial 3.7.3 on Ubuntu 16.04.4 LTS.

    scm-server.err shows an entry when doing the push, though it is only classified as warning:

    2018-06-04 07:29:51.504:WARN:oeji.nio:javax.net.ssl.SSLException: Received fatal alert: unknown_ca

    I tried to configure my certificate as a trusted one by putting my sha1 certificate fingerprint into hgrc, according to this posting:

    https://confluence.atlassian.com/fishkb/unable-to-pull-mercurial-repository-with-error-ssl3_get_server_certificate-certificate-verify-failed-278693773.html

    But that didn't help.

    No idea how this can be circumvented. Please help.

  4. Log in to comment