swisstech.net

tech and photography

Mercurial and self-signed server certificates

2012-10-13

So mercurial aborts when you want to interact with a repository that uses a self-signed certificate, as is the case for my own little mercurial repo exposed over https.

NOTE: this is obviously insecure and you must verify the ssl cert’s fingerprint is correct. If you roll your own server, log into the server and get the fingerprint from the cert file itself, not over https since there could be a man in the middle.

Alright so you need to get a hold of the cert and extract its fingerprint. Over https it works like that:

1
2
3
4
5
6
7

user@local:/tmp$ openssl s_client -connect server:port -showcerts | openssl x509 -fingerprint -noout
depth=0 C = CH, ST = Example, L = Example, O = Example, OU = Example, CN = Example, emailAddress = root@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, ST = Example, L = Example, O = Example, OU = Example, CN = Example, emailAddress = root@example.com
verify return:1
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

And to get the fingerprint from your cert file directly on the server, do this:

1
2

user@remote:/tmp$ openssl x509 -in /path/to/the/cert.pem | openssl x509 -fingerprint -noout
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

So now you have the fingerprint you need to tell mercurial to accept said self-signed certificate for a given hostname, which you do in ~/.hgrc

1
2

[hostfingerprints]
mercurial.mydomain.com = 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

And that’s it!