Bug 825277 - Set web.cacerts so Mercurial trusts OS CA certificates by default
Set web.cacerts so Mercurial trusts OS CA certificates by default
Product: Fedora
Classification: Fedora
Component: mercurial (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Neal Becker
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-25 10:31 EDT by David North
Modified: 2012-06-22 04:29 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-25 10:49:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David North 2012-05-25 10:31:20 EDT
Description of problem:

Because Python's SSL support is unhelpful in this regard, Mercurial does not trust any certificate authorities by default.

This leaves the user either whitelisting https hosts on a case-by-case basis, or having to configure the CA certificates themselves.

Since Fedora ships them, it could trivially set the web.cacerts Mercurial setting to point to the OS CA certificates - thus meaning properly-configured HTTPS Mercurial sites will work out of the box.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. hg clone https://bitbucket.org/davidnorth/eximunit
Actual results:

See lots of warnings about bitbucket.org certificate with fingerprint [...] not verified (check hostfingerprints or web.cacerts config setting)

Expected results:

No warnings.

Additional info:

Drop a file into /etc/mercurial/hgrc.d containing the lines:

cacerts = /etc/pki/tls/certs/ca-bundle.crt

... and the problem is solved.
Comment 1 David North 2012-05-25 10:33:16 EDT
For the record, filed this upstream at http://bz.selenic.com/show_bug.cgi?id=3453, but they suffer from not knowing where to find the OS certs, since that's OS-specific. They weren't keen on hard-coding heuristics either.
Comment 2 Neal Becker 2012-05-25 10:49:53 EDT
OK, done.
Comment 3 Mads Kiilerich 2012-05-25 10:59:49 EDT
It would perhaps be helful to add comment to the config file with a link to http://mercurial.selenic.com/wiki/CACertificates ... and perhaps also update the status on that page.

It is a 'big' behavioural change that shouldn't be done in released and 'stable' Fedora versions, but you could perhaps sneak it in as a 0-day update to f17 ... or wait for 2.2.2 in a week.
Comment 4 Fedora Update System 2012-06-04 09:34:44 EDT
mercurial-2.2.2-1.fc17 has been submitted as an update for Fedora 17.
Comment 5 Fedora Update System 2012-06-22 04:29:58 EDT
mercurial-2.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.