As of 1/18/2017 0300 UTC, the hostfingerprint will be changed to:
You are getting one of the following errors or warnings when you
abort: certificate for yoursite.kilnhg.com has unexpected fingerprint D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F (check hostfingerprint configuration)
warning: yoursite.kilnhg.com certificate with fingerprint D1:87:B5:AA:32:A6:5A:59:54:65:9F:CA:85:A1:20:74:F0:D5:CB:4F not verified (check hostfingerprints or web.cacerts config setting)
warning: yoursite.kilnhg.com certificate not verified (check web.cacerts config setting)
This doesn’t mean the certificate is invalid, it just means that Mercurial is not configured to check and verify certificates. You can fix this by adding the following to your
Another option is to configure Mercurial to check all certificates. This is a new “feature” in Mercurial 1.7.3. If you don’t have web.cacerts enabled in your
~/.hgrc or Mercurial.ini file, then Mercurial will warn you, loudly, that the certificate was not verified. To silence the warning and start checking certificates:
Mercurial 3.4 +
Mercurial 3.4_+ requires Python 2.7.9+ in order to access the CA system store. Users Mercurial 3.4+ with earlier versions of Python will always see the “certificate not verified” warning.
As of Mercurial 3.4+ certificates are checked against the CA and ROOT system stores. This means as long as your operating system certificates are up to date (run those updates!) and the server you’re connecting to presents certificates signed by one of the root certificate authorities (ours are) Mercurial should be able to connect and successfully validate the certificate. You’ll need no further setup!
If you’ve upgraded from a previous version, you may get an error about cacert.pem. This is a bundle of root certificates that were distributed prior to Mercurial 3.4’s update to use the operating system stores. The TortoiseHg installer helpfully removes the cacert.pem file though it doesn’t change your configurations or alert you to the fact that your configuration is now invalid. To fix this error, remove the “cacerts” configuration according to the instructions for your operating system shown below.
Mercurial 3.2 and earlier
Add the correct section below to your
On Debian and Ubuntu you can use this global configuration:
cacerts = /etc/ssl/certs/ca-certificates.crt
On Fedora and RHEL you can use this global configuration:
cacerts = /etc/pki/tls/certs/ca-bundle.crt
Mac OS X before 10.6
You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing Export Items… from the File menu. Make sure the File Format is set to Privacy Enhanced Mail (.pem), then save it to your Desktop as Certificates. Next, in Terminal enter
sudo cp ~/Desktop/Certificates.pem /etc/hg-ca-roots.pem
then configure Mercurial as follows:
cacerts = /etc/hg-ca-roots.pem
Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list.
Mac OS X 10.6 and higher
On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn’t allow for this situation—it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal)
openssl req -new -x509 -extensions v3_ca -keyout /dev/null -out dummycert.pem -days 3650
to generate a dummy certificate (the contents don’t matter, so you can just hit return at all of the prompts), then
sudo cp dummycert.pem /etc/hg-dummy-cert.pem
and set your configuration as follows:
cacerts = /etc/hg-dummy-cert.pem
Don’t download a dummy certificate someone on the Internet has created to solve this problem unless you’re certain that they’re trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above.
The Windows installer for Mercurial 1.7.3 (and corresponding TortoiseHg installers) are now safe by default. They now check the validity of the identity of the server you connect to with the root certificates.
The Windows installers for Mercurial 1.7.3 (and corresponding TortoiseHg installers) contain a cacert.pem and by default configure web.cacerts in hgrc.d\paths.rc . Note that per the default settings installed, connecting to repositories with self-signed certificates fail with 1.7.3. You need to adjust the default configuration for that case. If you’re hitting this error, you can try adding the following lines to your Mercurial.ini file:
[web] cacerts=C:\Program Files\TortoiseHg\hgrc.d\cacert.pem
This will include the cacert.pem certificate when running hg commands. Add the two lines above to the bottom of the Mercurial.ini file in your %USERPROFILE% folder and it should work.