I wanted to set up Mercurial repositories on my server using HTTPS, using a StartSSL certificate. But when I tried to check out a repository using TortoiseHg or the official 'hg' client, I would get this error:
Whereas if I browsed to the same URL using any web browser, the browser would have no complaints about the SSL certificate.SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Turns out that the Mercurial does not support Python 3 yet, requiring Python 2. And Python 2 does not support Server Name Indication, an feature of SSL/TLS that allows the web server to send an SSL certificate appropriate to the virtual host requested. Without SNI, my web server was sending its default SSL certificate, which did not match hg.qnan.org.
The solution for me was to configure my web server to send the Mercurial SSL certificate to the default virtual host, since (hopefully) 'hg' will be the only client accessing my webserver without SNI support. Alternately, you could configure your web server to use a custom path for the WSGI script rather than its own subdomain/vhost. Then the default SSL certificate should work fine, and you'd point people to the equivalent of qnan.org/hg/<repo>.