As of 1/18/2017 0300 UTC, the hostfingerprint will be changed to:


You are getting one of the following errors or warnings when you push to

abort: certificate for has unexpected fingerprint D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F (check hostfingerprint configuration)

warning: certificate with fingerprint D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F not verified (check hostfingerprints or web.cacerts config setting)

warning: certificate not verified (check web.cacerts config setting)

This doesn’t mean the certificate is invalid, it just means that Mercurial is not configured to check and verify certificates. You can fix this by adding the following to your ~/.hgrc or C:\Users\username\Mercurial.ini file:

[hostfingerprints] =D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F =D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F

Another option is to configure Mercurial to check all certificates. This is a new “feature” in Mercurial 1.7.3. If you don’t have web.cacerts enabled in your ~/.hgrc or Mercurial.ini file, then Mercurial will warn you, loudly, that the certificate was not verified. To silence the warning and start checking certificates:

Mercurial 3.4 +

Mercurial 3.4_+ requires Python 2.7.9+ in order to access the CA system store.  Users Mercurial 3.4+ with earlier versions of Python will always see the “certificate not verified” warning.

As of Mercurial 3.4+ certificates are checked against the CA and ROOT system stores. This means as long as your operating system certificates are up to date (run those updates!) and the server you’re connecting to presents certificates signed by one of the root certificate authorities (ours are) Mercurial should be able to connect and successfully validate the certificate. You’ll need no further setup!

If you’ve upgraded from a previous version, you may get an error about cacert.pem. This is a bundle of root certificates that were distributed prior to Mercurial 3.4’s update to use the operating system stores. The TortoiseHg installer helpfully removes the cacert.pem file though it doesn’t change your configurations or alert you to the fact that your configuration is now invalid. To fix this error, remove the “cacerts” configuration according to the instructions for your operating system shown below.

Mercurial 3.2 and earlier

Add the correct section below to your ~/.hgrc.

Taken from the CACertificates page of the Mercurial wiki:


On Debian and Ubuntu you can use this global configuration:

cacerts = /etc/ssl/certs/ca-certificates.crt


On Fedora and RHEL you can use this global configuration:

cacerts = /etc/pki/tls/certs/ca-bundle.crt

Mac OS X before 10.6

You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing Export Items… from the File menu. Make sure the File Format is set to Privacy Enhanced Mail (.pem), then save it to your Desktop as Certificates. Next, in Terminal enter

sudo cp ~/Desktop/Certificates.pem /etc/hg-ca-roots.pem

then configure Mercurial as follows:

cacerts = /etc/hg-ca-roots.pem

Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list.

Mac OS X 10.6 and higher

On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn’t allow for this situation—it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal)

openssl req -new -x509 -extensions v3_ca -keyout /dev/null -out dummycert.pem -days 3650

to generate a dummy certificate (the contents don’t matter, so you can just hit return at all of the prompts), then

sudo cp dummycert.pem /etc/hg-dummy-cert.pem

and set your configuration as follows:

cacerts = /etc/hg-dummy-cert.pem

Don’t download a dummy certificate someone on the Internet has created to solve this problem unless you’re certain that they’re trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above.


The Windows installer for Mercurial 1.7.3 (and corresponding TortoiseHg installers) are now safe by default. They now check the validity of the identity of the server you connect to with the root certificates.

The Windows installers for Mercurial 1.7.3 (and corresponding TortoiseHg installers) contain a cacert.pem and by default configure web.cacerts in hgrc.d\paths.rc . Note that per the default settings installed, connecting to repositories with self-signed certificates fail with 1.7.3. You need to adjust the default configuration for that case. If you’re hitting this error, you can try adding the following lines to your Mercurial.ini file:

cacerts=C:\Program Files\TortoiseHg\hgrc.d\cacert.pem

This will include the cacert.pem certificate when running hg commands. Add the two lines above to the bottom of the Mercurial.ini file in your %USERPROFILE% folder and it should work.



For dealing with self-signed certificates and other issues, check the CACertificates page of the Mercurial wiki.