Tag: teamcity mercurial

  • Using Mercurial over HTTPS with TeamCity

    Uh oh, it’s b0rked

    I use Mercurial as my VCS for all my personal projects and JetBrains TeamCity for my build server. Naturally, I need TeamCity to talk to the VCS. There are two basic ways you can serve Mercurial repos: over HTTP(S) using something like hgweb.cgi and over SSH. I use SSH with public key authentication for all of my development boxes and it works great. However, SSH public key auth requires that I have a full-blown shell account on the VCS server. I really didn’t want to have a shell account dedicated for the TeamCity user, so I preferred using HTTPS. Starting with 1.6.4, Mercurial began (smartly) verifying SSL certificates. This coupled with my use of self-signed certificates caused me to get errors in TeamCity from Mercurial when it was trying to pull from the VCS server:

    ‘cmd /c hg pull https://mercurial.mydomain.com/hg/ModuleUtilities’
    command failed.
    stderr: abort: error: _ssl.c:490: error: 14090086:SSL
    routines:SSL2_GET_SERVER_CERTIFICATE:certificate verify failed

    Teamcity Mercurial Error
    Teamcity Mercurial Error

    Ahh, I think I know what’s going on here…

    The fix for this actually fairly simple: add the self-signed cert to the trusted chain. The tricky bit however, is that Mercurial doesn’t use the Windows certificate store so adding an entry like you would for say, Internet Explorer, won’t work. Instead, Mercurial uses a cacert.pem file. For these instructions, I’m using TortoiseHg as my Mercurial client on the build server. The basic concept however, applies regardless of the specific client so it should be fairly easy to adapt to your environment.

    A Walk-through the park

    The first step is to get the necessary certificate information. I did this by browsing to the URL of one of the repositories in Internet Explorer. For example:

    https://mercurial.mydomain.com/hg/myrepo

    Once there, I clicked on the “Security Report” lock icon next to the URL and selected “View Certificates”.

    IE Security Report
    IE Security Report

    Which brings up a window like this:
    View Certificate
    View Certificate

    You then click on the “Details” tab and select “Copy to File”:
    View Certificate - Copy to File
    View Certificate – Copy to File

    In the “Certificate Export Wizard”, it’s important that you select the “Base-64 encoded X.509(.CER)” format as this is the format used by the cacert.pem file.
    Certificate Export Wizard
    Certificate Export Wizard

    Then it’s simply a matter of going to the TeamCity build server and opening the cacert.pem located in

    C:\Program Files\TortoiseHg\hgrc.d\cacert.pem

    and adding a name for the cert followed by the contents of the .cer saved in the previous step. For example:

    mercurial.mydomain.com
    =======================
    —–BEGIN CERTIFICATE—–
    MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
    Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG
    A1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEz
    MjM1OTAwWjB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQL
    Ex5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0
    IEdsb2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrHiM3dFw4u
    sJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTSr41tiGeA5u2ylc9yMcql
    HHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X404Wqk2kmhXBIgD8SFcd5tB8FLztimQID
    AQABMA0GCSqGSIb3DQEBBAUAA4GBAG3rGwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMW
    M4ETCJ57NE7fQMh017l93PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OF
    NMQkpw0PlZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
    —–END CERTIFICATE—–

    Save the file and then in a minute or so (by default the VCS check interval for TeamCity is 60s) you should see big smiles from TeamCity (or at least no more VCS errors)!

    Teamcity Mercurial over HTTPs
    Teamcity Mercurial over HTTPs