looks like hg clone is a non-SNI request so looked up pubserv.nginx.com's SSL cert *.nginx.com common name so maybe best to add *.nginx.org as well to pubserv.nginx.com server's SSL cert ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283692#msg-283692