Getting Mercurial 1.8.1 to work against a repository with a self-signed SSL certificate | Johan Driessen

Getting Mercurial 1.8.1 to work against a repository with a self-signed SSL certificate

For a project with some friends, we’ve set up our own private Mercurial repository. We’re publishing it using hgweb and apache, and since we want it encrypted, we use a self-signed certificate. This has been working fine until recently, when I upgraded Mercurial from 1.6.x to 1.8.1, because it turns out that in Mercurial 1.7.2, they started throwing a big fat error when you try to work against a repository with a self-signed certificate:

1
2
3
C:\Users\Johan\HgReps\MsmqRestService>hg in
abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICAT
E:certificate verify failed

There is a long thread at selenic.com discussing why you can’t push/pull to a https server with a self-signed certificate. But to save you (and myself) from having to read it (again), I thought I’d jot down the steps to get it working again.

  1. Open your repository in a web browser. I used Firefox 4.
  2. Save the certificate. In Firefox by clicking the domain name, more information, view certificate, details tab, export certificate. I’m sure you can figure out how to do it in another web browser as well. Be sure to select X.509 Certificate (PEM), when exporting.
    A totally unnecessary picture showing how to display the certificate in Firefox 4. But the post looks much nicer with an image in it!
  3. Edit the cacert.pem file for TortoiseHg (if that’s the way you installed mercurial).
    On my machine, the full path is C:\Program Files\TortoiseHg\hgrc.d\cacert.pem.
  4. Copy the contents from your exported certificate file, and paste them to the bottom of cacert.pem
  5. Rejoice!