Mads,<div><br></div><div>Thanks for the response! </div><div><br></div><div>After reading your message, I performed the steps exactly as described on the Mercurial wiki page you linked to. I navigated to our repo site in Firefox and exported the certificate at the root of the hierarchy (there was actually only one in the tree). Once exported, I got the hash on my Mac using openssl and copied that into the cacert.pem file on my Windows VM. This still results in the same error when trying to perform a remote operation.</div>
<div><br></div><div>Could this have something to do with line endings, since I'm copying the hash text from a Mac terminal window into my Windows text editor (GVim)? To address that possibility, I joined the whole hash onto one line and entered the carriage returns manually, but it didn't seem to have any effect. GVim says the file is [unix], is that what it should be, even on a Windows system? I'm grasping at straws, here.</div>
<div><br></div><div>I really appreciate your help. And I also appreciate the security concerns of the Mercurial developers, and think they made the right decision for the long run. I just hope the usability around using self-signed certs gets a bit easier; I think some of my coworkers might have a difficult time with this, even if I explained the steps to them. Keep in mind, these are guys who would have used TFS if I hadn't convinced them otherwise. ;-)</div>
<div><br></div><div>Brian</div><div><br><div class="gmail_quote">On Thu, Jan 6, 2011 at 7:53 PM, Mads Kiilerich <span dir="ltr"><<a href="mailto:mads@kiilerich.com">mads@kiilerich.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Brian Sullivan wrote, On 01/06/2011 07:31 PM:<div class="im"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This discussion actually started as a bug reported about TortoiseHG here: <a href="https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self" target="_blank">https://bitbucket.org/tortoisehg/thg/issue/63/cannot-pull-push-to-https-server-with-self</a> <br>
<br>
I installed the latest version of TortoiseHg (1.1.8) on a new Windows machine with no previous TortoiseHg or Mercurial installation. We're running our shared Mercurial server on Windows Server 2008 R2 under IIS 7.5 with SSL using a self-signed certificate. Things have been running just fine for other users at our company on previous versions of TortoiseHg.<br>
<br>
When I try to push or pull from this new THg 1.1.8 machine, I get the following error:<br>
abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>
</blockquote>
<br></div>
Yes. The windows installers started shipping with a cacerts file configured. That could be considered a convenient security improvement for some users, but it is a regression for those with self-signed certificates.<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Per the discussion linked to above, I tried to add my self-signed certificate to the C:\Program Files (x86)\TortoiseHg\hgrc.d\cacert.pem file provided by TortoiseHg. I exported my self-signed cert from IIS in Base-64 encoded X.509 format, then downloaded that to my Mac and ran "openssl x509 -in hgcert.pem -text". I copied the text from "BEGIN CERTIFICATE" to "END CERTIFICATE" and pasted that into my cacert.pem file. This doesn't seem to solve the problem.<br>
</blockquote>
<br></div>
If you export the certificate as base64 x.509 it should be in the right format. But I guess you are exporting the server certificate. You need the root/CA certificate. <a href="http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates" target="_blank">http://mercurial.selenic.com/wiki/CACertificates#Self-signed_certificates</a> might give some hints.<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I am woefully ignorant when it comes to certificates, so I'm sure I'm misunderstanding what's required here.<br>
<br>
As mentioned in the TortoiseHg bug thread above, I can successfully push and pull by adding the following to my hgrc:<br>
[web]<br>
cacerts=<br>
<br>
However, this results in several ugly warning messages about skipping cert verification that I'd rather not have to see if possible.<br>
</blockquote>
<br></div>
It is interesting how people seem to be more motivated by "I don't want to be told I'm insecure" than by "I don't want to be insecure". ;-)<br><font color="#888888">
<br>
/Mads<br>
</font></blockquote></div><br></div>