--- a/mercurial/url.py	Sun Mar 06 15:30:39 2011 +0100
+++ b/mercurial/url.py	Sun Mar 06 19:38:00 2011 +0100
@@ -560,9 +560,13 @@
             hostfingerprint = self.ui.config('hostfingerprints', host)
 
             if cacerts and not hostfingerprint:
+                cacerts = util.expandpath(cacerts)
+                if not os.path.exists(cacerts):
+                    raise util.Abort(_('could not find '
+                                       'web.cacerts: %s') % cacerts)
                 self.sock = _ssl_wrap_socket(self.sock, self.key_file,
                     self.cert_file, cert_reqs=CERT_REQUIRED,
-                    ca_certs=util.expandpath(cacerts))
+                    ca_certs=cacerts)
                 msg = _verifycert(self.sock.getpeercert(), host)
                 if msg:
                     raise util.Abort(_('%s certificate error: %s '

--- a/tests/hghave	Sun Mar 06 15:30:39 2011 +0100
+++ b/tests/hghave	Sun Mar 06 19:38:00 2011 +0100
@@ -202,7 +202,7 @@
     "outer-repo": (has_outer_repo, "outer repo"),
     "p4": (has_p4, "Perforce server and client"),
     "pygments": (has_pygments, "Pygments source highlighting library"),
-    "ssl": (has_ssl, "python >= 2.6 ssl module"),
+    "ssl": (has_ssl, "python >= 2.6 ssl module and python OpenSSL"),
     "svn": (has_svn, "subversion client and admin tools"),
     "svn-bindings": (has_svn_bindings, "subversion python bindings"),
     "symlink": (has_symlink, "symbolic links"),

--- a/tests/test-https.t	Sun Mar 06 15:30:39 2011 +0100
+++ b/tests/test-https.t	Sun Mar 06 19:38:00 2011 +0100
@@ -96,6 +96,12 @@
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
   $ cat ../hg0.pid >> $DAEMON_PIDS
 
+cacert not found
+
+  $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
+  abort: could not find web.cacerts: no-such.pem
+  [255]
+
 Test server address cannot be reused
 
   $ hg serve -p $HGPORT --certificate=$PRIV 2>&1