Yes and No: "hg serve" serves over plain http, not https. Since I  
still have "push_ssl = true" I still get the error "ssl required"  
while trying to push over plain http. But this is ok here. Pushing  
over http works perfeclty well, but that's not what I want. (You can  
see my post from 2008-10-14.19:38:32 on this).

Anyways I think I can exclude a trust-issue now: When I first tried to  
start "hg serve" as root, I got the message "Not trusting file /path/ 
to/repository/.hg/hgrc from untrusted user apache, group apache". I  
needed to do "sudo -u apache hg serve -v" and then it worked without  
any errors. And this is the uid my apache-webserver runs at.

Am 23.10.2008 um 00:25 schrieb Matt Mackall:

>
> Matt Mackall <mpm@selenic.com> added the comment:
>
> Can you reproduce the problem using just 'hg serve'?
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

I get no additional information here, thats why I stuck in debugging:  
no chance to trace the error.

host$ hg -v --traceback push
pushing to https://xxxxyyyyzzz/testrepos
http authorization required
realm: My Mercurial Repositories
user: testuser
password:
searching for changes
1 changesets found
ssl required

Am 23.10.2008 um 00:26 schrieb JustinRovang:

>
> JustinRovang <thinice@gmail.com> added the comment:
>
>> From a repo with outgoing changes:
> (Make sure this is going to push to your https address)
>
> hg -v --traceback push
>
>
> Then paste the output.
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________
>
> !DSPAM:48ffa697207601033517627!
>

From a repo with outgoing changes:
(Make sure this is going to push to your https address)

hg -v --traceback push


Then paste the output.

Can you reproduce the problem using just 'hg serve'?

Ok this makes perfectly sense. I'm sorry I was a little confused by  
the previous post.

I've changed the ownership of all dirs and files of the repository  
including the hgrc config-file to apache:apache. This is the uid and  
gid that the apache-webserver uses on my system. But this is exactly  
what it was before I've changed the ownership to one of my repository- 
users.
So, no luck with this.

Thank you anyways.

Am 20.10.2008 um 23:06 schrieb Matt Mackall:

>
> Matt Mackall <mpm@selenic.com> added the comment:
>
> If your web server runs hgweb as user 'nobody' or 'www', it will not  
> trust most
> entries in .hg/hgrc unless that file is also owned by 'nobody' or  
> 'www'.
> Otherwise, malicious users could do malicious things.
>
> The 'user' you're trying to push with has no relation to the problem  
> as it's not
> even a real user in operating system terms.
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

Maybe try something like this as root:

ps -A ux |grep apache

Output:
www-data  1659  0.0  0.2  32180  7524 ?        S    16:24   0:00
/usr/sbin/apache2 -k start
___^--- Username to use

Then:

chown www-data: /path/to/my/repo/.hg/hgrc

On Mon, Oct 20, 2008 at 4:06 PM, Matt Mackall <mercurial-bugs@selenic.com>wrote:

>
> Matt Mackall <mpm@selenic.com> added the comment:
>
> If your web server runs hgweb as user 'nobody' or 'www', it will not trust
> most
> entries in .hg/hgrc unless that file is also owned by 'nobody' or 'www'.
> Otherwise, malicious users could do malicious things.
>
> The 'user' you're trying to push with has no relation to the problem as
> it's not
> even a real user in operating system terms.
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________
>

If your web server runs hgweb as user 'nobody' or 'www', it will not trust most
entries in .hg/hgrc unless that file is also owned by 'nobody' or 'www'.
Otherwise, malicious users could do malicious things.

The 'user' you're trying to push with has no relation to the problem as it's not
even a real user in operating system terms.

I have changed different settings in the hgrc file of the specific  
repositories to make sure they're interpreted and the settings do take  
effekt.
For instance if I change "push_ssl" to true I can't push over plain  
http anymore. Now the message "ssl required" makes sense.
Anyways, I have chowned the hgrc to the user which I'm trying to push  
with, but that doesn't do the trick.
Maybe I don't understand you right, since with my understanding I  
should be able to push with different users, not only the one who owns  
the hgrc-file.

Am 20.10.2008 um 00:00 schrieb Dirkjan Ochtman:

>
> Dirkjan Ochtman <dirkjan@ochtman.nl> added the comment:
>
> Mercurial, by default, doesn't read hgrc files that are owned by  
> another user,
> to prevent hooks from running as other users and so on. If your hgrc  
> specifying
> the pushing authorization options isn't read correctly, it won't  
> work...
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

Mercurial, by default, doesn't read hgrc files that are owned by another user,
to prevent hooks from running as other users and so on. If your hgrc specifying
the pushing authorization options isn't read correctly, it won't work...

Hi Matt,

what exactly do you mean with "hgrc trust issue causing push_ssl to be  
ignored"?

Am 18.10.2008 um 21:08 schrieb Matt Mackall:

>
> Matt Mackall <mpm@selenic.com> added the comment:
>
> My suspicion is that this is an hgrc trust issue causing push_ssl to  
> be ignored.
>
> ----------
> assignedto:  -> djc
> nosy: +mpm
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

My suspicion is that this is an hgrc trust issue causing push_ssl to be ignored.

No progress so far:

Still the same problem while trying to push over https.
But pushing over http works!

Am 09.09.2008 um 11:52 schrieb Dirkjan Ochtman:

>
> Dirkjan Ochtman <dirkjan@ochtman.nl> added the comment:
>
> Any progress on this yet?
>
> ----------
> nosy: +djc
> topic: +http_proto
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

Hello Justin,

I'm very sorry that I come back to you that late! I needed to continue  
my project and switched to subversion.
Now I continue my work on mercurial but I'm not getting any further.

What do you mean with "url-lib"? I don't have any packages installed  
with this name.

I tried pushing over (pure) HTTP and it worked flawlessly. Only thing  
I needed to change was "push_ssl = false" just like you discribed.
Changed back to push over https: same thing. I allways get the error  
"ssl required". Oh and the vhost configuration is exactly the same, so  
I think It can't be a apache configuration error. I still think the  
reason could be my self-signed ssl-certificate, but I can't find any  
proove to it.

Thank you in advance!

Andreas

Am 04.09.2008 um 17:10 schrieb JustinRovang:

>
> JustinRovang <thinice@gmail.com> added the comment:
>
> I was having a stubborn issue regarding this too, I still don't know  
> what it
> really was - I think it was my urllib2.
>
> Try and establish a baseline first. Try and push over normal http  
> first. Then
> enable the SSL.
>
> Try modifying the global hgrc file if you can
>
> [web]
> allow_push = *
> push_ssl = false
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

Any progress on this yet?

I was having a stubborn issue regarding this too, I still don't know what it
really was - I think it was my urllib2. 

Try and establish a baseline first. Try and push over normal http first. Then
enable the SSL.

Try modifying the global hgrc file if you can

[web]
allow_push = *
push_ssl = false

Hi Justin,

at present my .hg/hgrc looks like this:

[web]
allow_pull = yes
allow_push = *
push_ssl = yes
style = gitweb
allow_archive = gz zip bz2
description = Test

I tried to remove the line "push_ssl = yes" but it doesn't change the  
behaviour.
My apache2-error-log does not write any lines while trying to push,  
but in my /var/log/apache2/access_log I get this:

192.168.164.2 - - [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
cmd=capabilities HTTP/1.1" 401 473
192.168.164.2 - apiening [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
cmd=capabilities HTTP/1.1" 200 54
192.168.164.2 - - [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
cmd=heads HTTP/1.1" 401 473
192.168.164.2 - apiening [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
cmd=heads HTTP/1.1" 200 41
192.168.164.2 - - [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
nodes=9039681224188a2722bdb16f7da90fe06e905b58&cmd=branches HTTP/1.1"  
401 473
192.168.164.2 - apiening [04/Sep/2008:14:09:47 +0200] "GET /bookdemo? 
nodes=9039681224188a2722bdb16f7da90fe06e905b58&cmd=branches HTTP/1.1"  
200 164
192.168.164.2 - - [04/Sep/2008:14:09:48 +0200] "POST /bookdemo? 
cmd=unbundle&heads=666f726365 HTTP/1.1" 401 473
192.168.164.2 - apiening [04/Sep/2008:14:09:49 +0200] "POST /bookdemo? 
cmd=unbundle&heads=666f726365 HTTP/1.1" 200 29

This looks normal to me. I get something similar when I clone from  
https, but this works! So I don't think I have a basic ssl-setup-ussue.

Am 04.09.2008 um 16:18 schrieb JustinRovang:

>
> JustinRovang <thinice@gmail.com> added the comment:
>
> I am using a self-signed certificate that throws the browser  
> warnings and have
> working https push.
>
> Few things to try and establish a baseline:
>
> Make sure this is in the repositories .hg/hgrc file:
> [web]
> allow_push = *
>
> Also - does your apache error log indicate anything when you do the  
> push?
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

I am using a self-signed certificate that throws the browser warnings and have
working https push.

Few things to try and establish a baseline:

Make sure this is in the repositories .hg/hgrc file:
[web]
allow_push = *

Also - does your apache error log indicate anything when you do the push?

Hi Justin,

sure, I've set this directives. HTTPs works fine for me, at least if I  
access hgwebdir with a browser to view my repositories. Only thing to  
mention here is that I use a self signes certificate. My Browser(s)  
informs me about that and let me import the cerrtificate. After that,  
no additional warnings occured. But my idea is, that hg runs into  
problems for one reason or another and refuses my self-signed  
certificate. It drops me no hint what exactly causes the problem, it's  
just an idea.

Does anyone use hg-pushing to https with a self-signed certificate?  
Does it work or better may it cause the message "ssl required"?

Thank you in advance,

Andreas Piening

Am 03.09.2008 um 05:15 schrieb JustinRovang:

>
> JustinRovang <thinice@gmail.com> added the comment:
>
> SSLEngine on
> SSLCertificateFile
> SSLCertificateKeyFile
>
> You may want to look into these directives for your vhost
>
> ----------
> nosy: +JustinRovang
>
> ____________________________________________________
> Mercurial issue tracker <mercurial-bugs@selenic.com>
> <http://www.selenic.com/mercurial/bts/issue1274>
> ____________________________________________________

SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile

You may want to look into these directives for your vhost

Hi Benoit, hi mercurial-list,

I commented the http-vhost-definition out. But it doesn't change  
anything.
I expected this behaviour, since I never used a http:// url in my  
tests, so the redirect never occured.

I merely used the redirection to force people tu use https while using  
the web-interface.

Am 28.08.2008 um 11:02 schrieb Benoit Boissinot:

>
> Benoit Boissinot <bboissin@gmail.com> added the comment:
>
> follow-up in the mailing list:
> http://www.selenic.com/pipermail/mercurial/2008-August/021084.html
>
> Btw maybe this:
> Since I want allways to use https for clone/pull AND push, I created a
> http-vhost which just redirects to this https-one. But I use https
> directly in my tests.
>
> is the problem.

follow-up in the mailing list:
http://www.selenic.com/pipermail/mercurial/2008-August/021084.html

Btw maybe this:
Since I want allways to use https for clone/pull AND push, I created a
http-vhost which just redirects to this https-one. But I use https 
directly in my tests.

is the problem.

I use mercurial 1.0.1-r2 and want to share my repositories with hgwebdir.cgi. I configured apache2 for ssl (https) and authentication and to 
use the hgwebdir.cgi for directory-listing and I rewrite anything to hgwebdir.cgi. ATM it looks like this:

<VirtualHost *:443>
       ServerName hg.myrepository.de
       DocumentRoot "/var/hg/hg.myrepository.de/"

       RewriteEngine On
       RewriteRule ^/(.*) /hgwebdir.cgi/$1

       <Directory "/var/hg/hg.myrepository.de/">
               DirectoryIndex hgwebdir.cgi
               AddHandler cgi-script .cgi
               Options +ExecCGI +FollowSymLinks
               AllowOverride None

               # Controls who can get stuff from this server.
               Order allow,deny
               Allow from all

               AuthUserFile /var/hg/hg.myrepository.de/.htpasswd
               AuthName "My Mercurial Repositories"
               AuthType Basic
               Require valid-user
       </Directory>

       <IfModule mpm_peruser_module>
               ServerEnvironment apache apache
       </IfModule>
</VirtualHost>

Since I want allways to use https for clone/pull AND push, I created a http-vhost which just redirects to this https-one. But I use https 
directly in my tests.

Everythin except pushing works out of the box:
I can access the hgwebdir and it shows up my testrepository.
The authentication works, and I can browse the repository and see changes that I've made on my testrepository directly on the filesystem.
I can clone the repository from https. The authentication comes up, works like a charm.

But when I do any sort of push, like
hg push https://hg.myrepository.de/testrepository/

I get this:
pushing to https://hg.myrepository.de/testrepository/
http authorization required
realm: My Mercurial Repositories
user: testuser
password:
searching for changes
ssl required

The message "ssl required" doesn't make much sense to me, since I use https and it works while accessing the repository for a clone or with 
the web-interface.

What can be wrong here?

Thank you in advance!