You are getting the following error during a push to a Kiln server.

Warning: mydomain.kilnhg.com certificate not verified (check web.cacerts config setting)

This is a new “feature” in Mercurial 1.7.3. If you don’t have web.cacerts enabled in your ~/.hgrc file, then Mercurial will warn you, loudly, that the certificate was not verified.

This doesn’t mean that the certificate is invalid, it just means that Mercurial didn’t check it. To silence the warning and start checking certificates, add the correct section below to your ~/.hgrc.

Taken from the CACertificates page of the Mercurial wiki:

Debian/Ubuntu

On Debian and Ubuntu you can use this global configuration:

[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

Fedora/RHEL

On Fedora and RHEL you can use this global configuration:

[web]
cacerts = /etc/pki/tls/certs/ca-bundle.crt

Mac OS X before 10.6

You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing Export Items… from the File menu. Make sure the File Format is set to Privacy Enhanced Mail (.pem), then save it to your Desktop as Certificates. Next, in Terminal enter

sudo cp ~/Desktop/Certificates.pem /etc/hg-ca-roots.pem

then configure Mercurial as follows:

[web]
cacerts = /etc/hg-ca-roots.pem

Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list.

Mac OS X 10.6 and higher

On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn’t allow for this situation—it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal)

openssl req -new -x509 -extensions v3_ca -keyout /dev/null -out dummycert.pem -days 3650

to generate a dummy certificate (the contents don’t matter, so you can just hit return at all of the prompts), then

sudo cp dummycert.pem /etc/hg-dummy-cert.pem

and set your configuration as follows:

[web]
cacerts = /etc/hg-dummy-cert.pem

Don’t download a dummy certificate someone on the Internet has created to solve this problem unless you’re certain that they’re trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above.

Windows

The Windows installer for Mercurial 1.7.3 (and corresponding TortoiseHg installers) are now safe by default. They now check the validity of the identity of the server you connect to with the root certificates.

The Windows installers for Mercurial 1.7.3 (and corresponding TortoiseHg installers) contain a cacert.pem and by default configure web.cacerts in hgrc.d\paths.rc . Note that per the default settings installed, connecting to repositories with self-signed certificates fail with 1.7.3. You need to adjust the default configuration for that case. If you’re hitting this error, you can try adding the following lines to your Mercurial.ini file:

[web]
cacerts=C:\Program Files\TortoiseHg\hgrc.d\cacert.pem

This will include the cacert.pem certificate when running hg commands. Add the two lines above to the bottom of the Mercurial.ini file in your %USERPROFILE% folder and it should work.

 

 

For dealing with self-signed certificates and other issues, check the CACertificates page of the Mercurial wiki.