As of 11/20/2014 0300 UTC, the hostfingerprint will be changed to:

f1:01:76:c2:31:e9:cd:a4:8c:a1:22:45:af:f2:0c:c1:59:61:7a:dd

You are getting one of the following errors or warnings when you push to yoursite.kilnhg.com:

abort: certificate for yoursite.kilnhg.com has unexpected fingerprint f1:01:76:c2:31:e9:cd:a4:8c:a1:22:45:af:f2:0c:c1:59:61:7a:dd (check hostfingerprint configuration)

warning: yoursite.kilnhg.com certificate with fingerprint f1:01:76:c2:31:e9:cd:a4:8c:a1:22:45:af:f2:0c:c1:59:61:7a:dd not verified (check hostfingerprints or web.cacerts config setting)

warning: yoursite.kilnhg.com certificate not verified (check web.cacerts config setting)

This doesn’t mean the certificate is invalid, it just means that Mercurial is not configured to check and verify certificates. You can fix this by adding the following to your ~/.hgrc or C:\Users\username\Mercurial.ini file:

[hostfingerprints]
developers.kilnhg.com = f1:01:76:c2:31:e9:cd:a4:8c:a1:22:45:af:f2:0c:c1:59:61:7a:dd
yoursite.kilnhg.com = f1:01:76:c2:31:e9:cd:a4:8c:a1:22:45:af:f2:0c:c1:59:61:7a:dd

Another option is to configure Mercurial to check all certificates. This is a new “feature” in Mercurial 1.7.3. If you don’t have web.cacerts enabled in your ~/.hgrc or Mercurial.ini file, then Mercurial will warn you, loudly, that the certificate was not verified. To silence the warning and start checking certificates, add the correct section below to your ~/.hgrc.

Taken from the CACertificates page of the Mercurial wiki:

Debian/Ubuntu

On Debian and Ubuntu you can use this global configuration:

[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

Fedora/RHEL

On Fedora and RHEL you can use this global configuration:

[web]
cacerts = /etc/pki/tls/certs/ca-bundle.crt

Mac OS X before 10.6

You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing Export Items… from the File menu. Make sure the File Format is set to Privacy Enhanced Mail (.pem), then save it to your Desktop as Certificates. Next, in Terminal enter

sudo cp ~/Desktop/Certificates.pem /etc/hg-ca-roots.pem

then configure Mercurial as follows:

[web]
cacerts = /etc/hg-ca-roots.pem

Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list.

Mac OS X 10.6 and higher

On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn’t allow for this situation—it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal)

openssl req -new -x509 -extensions v3_ca -keyout /dev/null -out dummycert.pem -days 3650

to generate a dummy certificate (the contents don’t matter, so you can just hit return at all of the prompts), then

sudo cp dummycert.pem /etc/hg-dummy-cert.pem

and set your configuration as follows:

[web]
cacerts = /etc/hg-dummy-cert.pem

Don’t download a dummy certificate someone on the Internet has created to solve this problem unless you’re certain that they’re trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above.

Windows

The Windows installer for Mercurial 1.7.3 (and corresponding TortoiseHg installers) are now safe by default. They now check the validity of the identity of the server you connect to with the root certificates.

The Windows installers for Mercurial 1.7.3 (and corresponding TortoiseHg installers) contain a cacert.pem and by default configure web.cacerts in hgrc.d\paths.rc . Note that per the default settings installed, connecting to repositories with self-signed certificates fail with 1.7.3. You need to adjust the default configuration for that case. If you’re hitting this error, you can try adding the following lines to your Mercurial.ini file:

[web]
cacerts=C:\Program Files\TortoiseHg\hgrc.d\cacert.pem

This will include the cacert.pem certificate when running hg commands. Add the two lines above to the bottom of the Mercurial.ini file in your %USERPROFILE% folder and it should work.

 

 

For dealing with self-signed certificates and other issues, check the CACertificates page of the Mercurial wiki.