Having resolved recent SSL certificate issues with Mercurial/TortoiseHG, I now encountered a similar issue with the wildcard certificate for
*.google.com where getting a clone would result in a
"SSL: Server certificate verify failed" error.
One way around this issue is to add the fingerprint for this certificate to your configuration. Currently for
*.google.com this is
00:d5:88:35:29:b9:7f:03:92:60:c2:04:e4:b7:01:f0:07:53:15:a8 and one way to get this from a Unix command line is with
openssl s_client -connect code.google.com:443 < /dev/null 2> /dev/null | openssl x509 -in cert-code -fingerprint -noout -in /dev/stdin | tr "[:upper:]" "[:lower:]". This corresponds with Chrome’s certificate view’s thumbprint field, you just need to add colons.
Right click in Explorer, select
TortoiseHG » Global Settings and then click
Edit File and add the following:
code.google.com = 00:d5:88:35:29:b9:7f:03:92:60:c2:04:e4:b7:01:f0:07:53:15:a8
This should make Mercurial/TortoiseHG work, at least until the certificate expires and you need to update it with the latest fingerprint.
For my own development I use Mercurial and TortoiseHG for my version control system. I also use, at the moment, a CAcert certificate to use HTTPS with my repositories. I am not sure what changed when, but apparently the certificates now get verified. So this causes obvious problems trying to push or pull due to
"SSL: Server certificate verify failed" errors.
To make this work on a Windows 7 machine with TortoiseHG in stalled, first download the CAcert root PEM certificate and place it some permanent directory. Next open the TortoiseHG global settings (right click somewhere in Explorer and select
TortoiseHG » Global Settings). In the window that opens click the Edit File button. If it does not exist yet create a section similar to this:
cacerts = C:\path\to\cacert-root.pem
OK and any push and pull action with HTTPS URLs should work as they ought to.
So with recent Mercurial 1.7 releases HTTPS support was tightened, so you are bound to encounter a warning in the form of:
warning: bitbucket.org certificate not verified (check web.cacerts config setting).
Now, on http://mercurial.selenic.com/wiki/CACertificates there are details on what to configure for certain operating systems. Given I use FreeBSD, I altered my
$HOME/.hgrc as follows:
cacerts = /etc/ssl/cert.pem
For OpenBSD this should be in the same place since release 3.8. But apparently NetBSD does not have such a file in base.