Cannot pull/push to https server with self-signed certificate

Issue #63 resolved
Anonymous created an issue

Version: 1.9.679.2614

The same repository used to work with 1.1.7. When I try to pull from https server with a self-signed certificate I get the following error:

abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If it matters, the remote repository is a Subversion server which I'm interacting with hgsubversion.


Comments (20)

  1. Steve Borho

    Mercurial just recently started verifying SSL certificates, a rather gaping security hole. This is basically a configuration issue with the server, it's using an invalid certificate.

    You can work around this by disabling the root CA certificate file by setting in your ini file:

  2. Steve Borho

    Alternatively, I believe you can add the server's certificate to your cacerts file, or put the certificate in it's own file and reference that in the repository's .hg/hgrc file.

  3. Steve Borho

    I've pushed some changes to try to report better error message than what you got here, and we should be adding support for per-server CA certificates before the thg-2.0 / Mercurial 1.8 release.

  4. Brian Sullivan

    I'm running into this problem as well. I tried copying my self-signed cert into the cacert.pem file, but I still get the same message. Perhaps I'm doing the copying incorrectly?

    I'm exporting my cert from IIS in Base-64 encoded X.509 format, then downloaded that to my Mac and ran "openssl x509 -in hgcert.pem -text". I copied the text from "BEGIN CERTIFICATE" to "END CERTIFICATE" and pasted that into my cacert.pem file. I am woefully ignorant when it comes to certificates, so I'm sure I'm misunderstanding what's required here.

  5. Steve Borho

    Are you exporting the CA cert? You should probably bring this up on the Mercurial mailing list. There are a lot of users struggling with this right now, so it would be beneficial to have a public discussion about the correct approach.

  6. Kjartan F. Kvamme

    I'm getting the same thing. I've tried pointing "[web] cacerts =" in hgweb.config on the server to the .pem containing the self-signed certificate used by the web server, but that does not seem to make any difference.

    I've also tried to put "[web] cacerts =" in the local Mercurial.ini - that does seem to work, but repeatedly spews out the message "warning: certificate not verified (check web.cacerts config setting)" and seems to run very slowly.

    This hardly seems to be a proper solution to the problem.

  7. Steve Borho

    Adding [web] cacerts to hgweb.config is not expected to have any effect. Adding it to your user Mercurial.ini disables server certificate validation, essentially giving you the behavior of Mercurial <= 1.7.2, except it now issues a warning informing you that it is insecure.

    Any slowdowns will be unrelated to certificate validation, if anything not doing the validation should establish the connection faster.

    You will definitely want to read

  8. Kjartan F. Kvamme

    Displaying a warning is fine, but displaying it once at the start of the command would be enough - having it spam repeatedly every second is just unnecessary and annoying. I guess that one is probably something that needs to be fixed by the Mercurial guys though.

    This issue wouldn't be a big deal for me personally (I can always just change my Mercurial.ini), but the real issue is that there are multiple users of our company repositories. Unless there is some global (server-side) way to disable this check, we would have to either distribute the self-signed certificate file to the users (and instructions on how to use it), or instructions on how to edit Mercurial.ini to disable it. Either way it's impractical.

  9. Steve Borho

    1.9.2 now has a 'security' dialog in the sync tool, active whenever you have an https URL selected. It allows you to easily save a host finger print if the host certificate cannot be validated with CA certs.

    Marking as resolved.

  10. Dan Dumont
    • changed status to open

    The security dialog is not available when you try to clone a new repo with a self-signed cert. It would be nice if you could allow us to save the fingerprint from the clone screen as well.

  11. Steve Borho

    Don't re-open old issues to add new requests. Just create a new one and reference this one if necessary.

    We've already added an option to clone to ignore host certificate, so performing the initial clone is no longer a problem. Beyond that, I don't see a lot to gain by being able to configure host authentication from the clone tool.

  12. Anonymous

    How do you access the option to clone and ignore host certificate?

    This option is not visible in the options list when cloning using TortoiseHG 2.0.5.

  13. Anonymous

    I have 2.1.1 installed and am a fairly newbie. Is there a way to fix the push/pull issue without adding "[web] cacerts =" in the ini file? I always get SSL Cert cannot be verified warning. Thanks.

  14. nicolas_janin
    • changed status to open

    I have 2.1.1 and cannot push to Bitbucket either (although the pull worked with "[web] cacerts =" in the mercurial.ini file).

    The message displays:

    % hg --repository X:\progs\2.7\nagee27_env\py3o.template push pushing to warning: certificate with fingerprint b4:1d:20:04:91:d0:c8:85:a7:be:91:57:94:62:50:71:e6:e7:c3:49 not verified (check hostfingerprints or web.cacerts config setting) real URL is searching for changes http authorization required realm: HTTP warning: certificate with fingerprint b4:1d:20:04:91:d0:c8:85:a7:be:91:57:94:62:50:71:e6:e7:c3:49 not verified (check hostfingerprints or web.cacerts config setting) Erreur HTTP : 400 (Bad request) [la commande a retourné le code 255 Wed Aug 03 18:01:12 2011]

  15. Log in to comment