Unable to Pull Mercurial Repository With Error: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Adding a Mercurial repository to Fisheye fails and the following error can be seen in the logs:

2012-03-09 00:00:04,591 INFO  [InitialPinger1 REPOSITORY] fisheye.console BaseRepositoryScanner-ping - [REPOSITORY] starting initial scan of repository 
2012-03-09 00:00:05,453 ERROR [InitialPinger1 ] fisheye.app OneOffPingRequest-doRequest - Exception during slurp
com.cenqua.fisheye.config.ConfigException: Unable to pull from remote repository: https://USER@HOSTNAME/sys_sw/app/
 - [abort: error: _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]
	at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:155)
	at com.atlassian.fisheye.hg.HgScanner.performClone(HgScanner.java:124)
	at com.atlassian.fisheye.dvcs.DvcsScanner.cloneRepo(DvcsScanner.java:175)
	at com.atlassian.fisheye.dvcs.DvcsScanner.updateClone(DvcsScanner.java:155)
	at com.atlassian.fisheye.dvcs.DvcsScanner.updateLocalRepoCache(DvcsScanner.java:145)
	at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:179)
	at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:92)
	at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:379)
	at com.cenqua.fisheye.rep.ping.OneOffPingRequest.doRequest(OneOffPingRequest.java:28)
	at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:67)
	at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:138)
	at com.cenqua.fisheye.rep.RepositoryHandle.queuePingRequest(RepositoryHandle.java:128)
	at com.cenqua.fisheye.rep.ping.PingRequest.run(PingRequest.java:33)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:679)
Caused by: com.atlassian.utils.process.ProcessException: While executing: "hg --config ui.verbose=false pull https://USER:XXXX@HOST/sys_sw/app/ "
	at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:262)
	at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:254)
	at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:149)
	... 15 more
Caused by: com.atlassian.utils.process.ProcessException: Non-zero exit code: 255
	at com.atlassian.utils.process.PluggableProcessHandler.complete(PluggableProcessHandler.java:83)
	at com.atlassian.utils.process.ExternalProcessImpl.finish(ExternalProcessImpl.java:308)
	at com.atlassian.utils.process.ExternalProcessImpl.execute(ExternalProcessImpl.java:351)
	at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:259)
	... 17 more

Cause

The repository fails to be pulled because the Mercurial client is not able to verify the server's certificate.

Resolution

A trusted certificate needs to be added. From the command line, with the same user running Fisheye/Crucible:

If you're running Fisheye/Crucible as a service on Windows, create or edit <HG_INSTALLATION>/Mercurial.ini to add the trusted certificate. This will set the configuration globally for any user on the server.

fisheye@HOST:~/$ vim .hgrc
 
[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0b

Where HOST.DOMAIN.COM is your host's name and respective fingerprint.

If the certificate is still not being verified, it will need to be added to the Mercurial client configuration as well:

root@HOST:~/$ vim /etc/mercurial/hgrc

[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0b

For more information on Mercurial's handling of SSL certificates, please refer to the Mercurial Wiki page.

Last modified on Jul 31, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.