Unable to Pull Mercurial Repository With Error: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
Adding a Mercurial repository to Fisheye fails and the following error can be seen in the logs:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
2012-03-09 00:00:04,591 INFO [InitialPinger1 REPOSITORY] fisheye.console BaseRepositoryScanner-ping - [REPOSITORY] starting initial scan of repository
2012-03-09 00:00:05,453 ERROR [InitialPinger1 ] fisheye.app OneOffPingRequest-doRequest - Exception during slurp
com.cenqua.fisheye.config.ConfigException: Unable to pull from remote repository: https://USER@HOSTNAME/sys_sw/app/
- [abort: error: _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]
at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:155)
at com.atlassian.fisheye.hg.HgScanner.performClone(HgScanner.java:124)
at com.atlassian.fisheye.dvcs.DvcsScanner.cloneRepo(DvcsScanner.java:175)
at com.atlassian.fisheye.dvcs.DvcsScanner.updateClone(DvcsScanner.java:155)
at com.atlassian.fisheye.dvcs.DvcsScanner.updateLocalRepoCache(DvcsScanner.java:145)
at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:179)
at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:92)
at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:379)
at com.cenqua.fisheye.rep.ping.OneOffPingRequest.doRequest(OneOffPingRequest.java:28)
at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:67)
at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:138)
at com.cenqua.fisheye.rep.RepositoryHandle.queuePingRequest(RepositoryHandle.java:128)
at com.cenqua.fisheye.rep.ping.PingRequest.run(PingRequest.java:33)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
Caused by: com.atlassian.utils.process.ProcessException: While executing: "hg --config ui.verbose=false pull https://USER:XXXX@HOST/sys_sw/app/ "
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:262)
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:254)
at com.atlassian.fisheye.hg.HgScanner.fetchLatest(HgScanner.java:149)
... 15 more
Caused by: com.atlassian.utils.process.ProcessException: Non-zero exit code: 255
at com.atlassian.utils.process.PluggableProcessHandler.complete(PluggableProcessHandler.java:83)
at com.atlassian.utils.process.ExternalProcessImpl.finish(ExternalProcessImpl.java:308)
at com.atlassian.utils.process.ExternalProcessImpl.execute(ExternalProcessImpl.java:351)
at com.atlassian.fisheye.dvcs.client.DvcsContext.executeCommand(DvcsContext.java:259)
... 17 more
Cause
The repository fails to be pulled because the Mercurial client is not able to verify the server's certificate.
Resolution
A trusted certificate needs to be added. From the command line, with the same user running Fisheye/Crucible:
If you're running Fisheye/Crucible as a service on Windows, create or edit <HG_INSTALLATION>/Mercurial.ini to add the trusted certificate. This will set the configuration globally for any user on the server.
1
2
3
4
fisheye@HOST:~/$ vim .hgrc
[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0bWhere HOST.DOMAIN.COM is your host's name and respective fingerprint.
If the certificate is still not being verified, it will need to be added to the Mercurial client configuration as well:
1
2
3
4
root@HOST:~/$ vim /etc/mercurial/hgrc
[hostfingerprints]
HOST.DOMAIN.COM = 6a:cf:b5:c1:11:0a:9b:af:60:a7:d4:73:d7:f5:cc:f6:55:79:48:0bFor more information on Mercurial's handling of SSL certificates, please refer to the Mercurial Wiki page.
Was this helpful?