Continue operation on failed certificate verification

Lukas Brückner November 14, 2011

All my operations with the remote depository fail because of the following error:

abort: error: _ssl.c:499: error:14090086:SSL
routines:SSl3_GET_SERVER_CERTIFICATE:certificate verify failed

We are using a self-generated certificate, and somehow cannot suppress that warning.

However, using terminal, my operations work fine after displaying the error. In SourceTree, all operations halt and I cannot find any option to ignore certificate verification failures.
Any workarounds would be much appreciated.

Thanks,

Lukas

3 answers

1 accepted

0 votes
Answer accepted
stevestreeting
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 15, 2011

To set up your trust for the certificate, please take a look at this: http://mercurial.selenic.com/wiki/CACertificates#Mac_OS_X_10.6_and_higher

SourceTree already configures a dummy PEM to make Mercurial check your Keychain for trusted certificates (unless you set the option manually yourself), but some people who have encountered this in the past have found they also needed to add the [hostfingerprints] configuration as described in the above page.

jholewinski February 6, 2012

This doesn't seem to work for me. Same setup, self-signed certificate for serving repositories over HTTPS. I've tried setting web.cacerts in both my ~/.hgrc and ~/Library/Application Support/SourceTree/hgrc_sourcetree files (SourceTree seems to pick up elements of both), as well as a hostfingerprints entry like so:

[hostfingerprints]
<host>=<id>

The command-line hg command does not even give any warnings with this setup, but SourceTree errors out with the same SSL error:

abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://hpcrl-temp.cse.ohio-state.edu/hg/projects/ddg-analysis/info/refs
fatal: HTTP request failed

jholewinski February 6, 2012

This doesn't seem to work for me. Same setup, self-signed certificate for serving repositories over HTTPS. I've tried setting web.cacerts in both my ~/.hgrc and ~/Library/Application Support/SourceTree/hgrc_sourcetree files (SourceTree seems to pick up elements of both), as well as a hostfingerprints entry like so:

[hostfingerprints]
<host>=<id>

The command-line hg command does not even give any warnings with this setup, but SourceTree errors out with the same SSL error:

abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://hpcrl-temp.cse.ohio-state.edu/hg/projects/ddg-analysis/info/refs
fatal: HTTP request failed

jholewinski February 6, 2012

This doesn't seem to work for me. Same setup, self-signed certificate for serving repositories over HTTPS. I've tried setting web.cacerts in both my ~/.hgrc and ~/Library/Application Support/SourceTree/hgrc_sourcetree files (SourceTree seems to pick up elements of both), as well as a hostfingerprints entry like so:

[hostfingerprints]
<host>=<id>

The command-line hg command does not even give any warnings with this setup, but SourceTree errors out with the same SSL error:

abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://hpcrl-temp.cse.ohio-state.edu/hg/projects/ddg-analysis/info/refs
fatal: HTTP request failed

Kirk Stork May 8, 2012

What about for Git repositories? There's an environment variable for Git to deal with this

GIT_SSL_NO_VERIFY=1

But I can't get SourceTree to see it. I've tried setting it in my regular ~/.profile and also in .MacOSX/environment.plist

stevestreeting
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 9, 2012

Hmm, SourceTree passes on its environment to git calls, only adding new entries where required. ~/.profile doesn't affect GUI apps so SourceTree wouldn't inherit that, but environment.plist should work. The only alternative is /etc/launchd.conf as described here: http://stackoverflow.com/questions/135688/setting-environment-variables-in-os-x

0 votes
Bronwen Stine July 24, 2013

Under windows Soucetree, there is an option to disable this: Tools>Options>Git>Disable SSL Cert validation

0 votes
Gili September 15, 2012

NOTE: Under Windows 7, the "Local System Account" home directory isn't where you'd expect. It's under C:\Windows\System32\config\systemprofile

Make sure to place mercurial.ini there!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events