Bug 825277

Summary: Set web.cacerts so Mercurial trusts OS CA certificates by default
Product: [Fedora] Fedora Reporter: David North <dtn-rhbugs>
Component: mercurialAssignee: Neal Becker <ndbecker2>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: dennis, mads, ndbecker2, vvitek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-25 14:49:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David North 2012-05-25 14:31:20 UTC 
Description of problem:

Because Python's SSL support is unhelpful in this regard, Mercurial does not trust any certificate authorities by default.

This leaves the user either whitelisting https hosts on a case-by-case basis, or having to configure the CA certificates themselves.

Since Fedora ships them, it could trivially set the web.cacerts Mercurial setting to point to the OS CA certificates - thus meaning properly-configured HTTPS Mercurial sites will work out of the box.


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. hg clone https://bitbucket.org/davidnorth/eximunit
  
Actual results:

See lots of warnings about bitbucket.org certificate with fingerprint [...] not verified (check hostfingerprints or web.cacerts config setting)

Expected results:

No warnings.

Additional info:

Drop a file into /etc/mercurial/hgrc.d containing the lines:

[web]
cacerts = /etc/pki/tls/certs/ca-bundle.crt

... and the problem is solved.
Comment 1 David North 2012-05-25 14:33:16 UTC 
For the record, filed this upstream at http://bz.selenic.com/show_bug.cgi?id=3453, but they suffer from not knowing where to find the OS certs, since that's OS-specific. They weren't keen on hard-coding heuristics either.
Comment 2 Neal Becker 2012-05-25 14:49:53 UTC 
OK, done.
Comment 3 Mads Kiilerich 2012-05-25 14:59:49 UTC 
It would perhaps be helful to add comment to the config file with a link to http://mercurial.selenic.com/wiki/CACertificates ... and perhaps also update the status on that page.

It is a 'big' behavioural change that shouldn't be done in released and 'stable' Fedora versions, but you could perhaps sneak it in as a 0-day update to f17 ... or wait for 2.2.2 in a week.
Comment 4 Fedora Update System 2012-06-04 13:34:44 UTC 
mercurial-2.2.2-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mercurial-2.2.2-1.fc17
Comment 5 Fedora Update System 2012-06-22 08:29:58 UTC 
mercurial-2.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.