When I tried to push my last post to Bitbucket I received this ugly error:
abort: error: _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Gross as it is, the message is straightforward: the SSL certificate failed to verify. I imagine the root cause is the whole OpenSSL mess and everyone reissuing their certificates, but it posed an immediate practical local problem: I couldn’t push to my source control.
Git(hub) seemed to be fine, but any Mercurial commands involving the network — either trying to connect to Bitbucket or Kiln — would fail.
The culprit turned out to be this line in my
[web] cacerts = /etc/hg-dummy-cert.pem
Which, as dumb as it looks, is the recommended way to enable certificate checking through the system keychain.
Regenerating the permissions file didn’t help. Maybe this approach will work again in the future, once the wave of reissued certificates has broken, but for now there’s a straightforward solution:
- Remove the
cacertsline from your
- Use a Mercurial command such as
hg incomingthat causes it to wail about a server’s certificate not being verified;
- Using the details from that message, add a
hostfingerprintssection to your
- Repeat with each server you connect to.
You should end up with something like this:
[hostfingerprints] bitbucket.org = 45:AD:AE:1A:CF:0E:73:47… robjwells.kilnhg.com = c3:83:2c:5a:2d:0…
See Bitbucket’s post for a few more details.