Red Hat Bugzilla – Bug 825277
Set web.cacerts so Mercurial trusts OS CA certificates by default
Last modified: 2012-06-22 04:29:58 EDT
Description of problem:
Because Python's SSL support is unhelpful in this regard, Mercurial does not trust any certificate authorities by default.
This leaves the user either whitelisting https hosts on a case-by-case basis, or having to configure the CA certificates themselves.
Since Fedora ships them, it could trivially set the web.cacerts Mercurial setting to point to the OS CA certificates - thus meaning properly-configured HTTPS Mercurial sites will work out of the box.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. hg clone https://bitbucket.org/davidnorth/eximunit
See lots of warnings about bitbucket.org certificate with fingerprint [...] not verified (check hostfingerprints or web.cacerts config setting)
Drop a file into /etc/mercurial/hgrc.d containing the lines:
cacerts = /etc/pki/tls/certs/ca-bundle.crt
... and the problem is solved.
For the record, filed this upstream at http://bz.selenic.com/show_bug.cgi?id=3453, but they suffer from not knowing where to find the OS certs, since that's OS-specific. They weren't keen on hard-coding heuristics either.
It would perhaps be helful to add comment to the config file with a link to http://mercurial.selenic.com/wiki/CACertificates ... and perhaps also update the status on that page.
It is a 'big' behavioural change that shouldn't be done in released and 'stable' Fedora versions, but you could perhaps sneak it in as a 0-day update to f17 ... or wait for 2.2.2 in a week.
mercurial-2.2.2-1.fc17 has been submitted as an update for Fedora 17.
mercurial-2.2.2-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.