Unable to Pull Mercurial Repository With Error: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Symptoms
Adding a Mercurial repository to Fisheye fails and the following error can be seen in the logs:
2012-03-09 00:00:04,591 INFO [InitialPinger1 REPOSITORY] fisheye.console BaseRepositoryScanner-ping - [REPOSITORY] starting initial scan of repository
2012-03-09 00:00:05,453 ERROR [InitialPinger1 ] fisheye.app OneOffPingRequest-doRequest - Exception during slurp
com.cenqua.fisheye.config.ConfigException: Unable to pull from remote repository: https://USER@HOSTNAME/sys_sw/app/
- [abort: error: _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]
at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:155)
at com.atlassian.fisheye.hg.HgScanner.performClone(HgScanner.java:124)
at com.atlassian.fisheye.dvcs.DvcsScanner.cloneRepo(DvcsScanner.java:175)
at com.atlassian.fisheye.dvcs.DvcsScanner.updateClone(DvcsScanner.java:155)
at com.atlassian.fisheye.dvcs.DvcsScanner.updateLocalRepoCache(DvcsScanner.java:145)
at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:179)
at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:92)
at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:379)
at com.cenqua.fisheye.rep.ping.OneOffPingRequest.doRequest(OneOffPingRequest.java:28)
at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:67)
at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:138)
at com.cenqua.fisheye.rep.RepositoryHandle.queuePingRequest(RepositoryHandle.java:128)
at com.cenqua.fisheye.rep.ping.PingRequest.run(PingRequest.java:33)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
Caused by: com.atlassian.utils.process.ProcessException: While executing: "hg --config ui.verbose=false pull https://USER:XXXX@HOST/sys_sw/app/ "
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:262)
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:254)
at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:149)
... 15 more
Caused by: com.atlassian.utils.process.ProcessException: Non-zero exit code: 255
at com.atlassian.utils.process.PluggableProcessHandler.complete(PluggableProcessHandler.java:83)
at com.atlassian.utils.process.ExternalProcessImpl.finish(ExternalProcessImpl.java:308)
at com.atlassian.utils.process.ExternalProcessImpl.execute(ExternalProcessImpl.java:351)
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:259)
... 17 more
Cause
The repository fails to be pulled because the Mercurial client is not able to verify the server's certificate.
Resolution
A trusted certificate needs to be added. From the command line, with the same user running Fisheye/Crucible:
If you're running Fisheye/Crucible as a service on Windows, create or edit <HG_INSTALLATION>/Mercurial.ini
to add the trusted certificate. This will set the configuration globally for any user on the server.
fisheye@HOST:~/$ vim .hgrc
[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0b
Where HOST.DOMAIN.COM
is your host's name and respective fingerprint.
If the certificate is still not being verified, it will need to be added to the Mercurial client configuration as well:
root@HOST:~/$ vim /etc/mercurial/hgrc
[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0b
For more information on Mercurial's handling of SSL certificates, please refer to the Mercurial Wiki page.