So. SSL certificates are still black magic to me. Especially when they cause trouble.
Like when one of the sysadmins has forgotten to add the certificate bundle to the
apache2 config.
Then you get stuff like this:
$ hg pull -u abort: error: _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Most web browsers do not notice this as they already have the intermediate CA files,
but /etc/ssl/certs/ca-certificates.crt seemingly doesn't.
The problem in this case was not that I was missing any certificates locally. The problem was that the web server was not ...