Description of problem: Because Python's SSL support is unhelpful in this regard, Mercurial does not trust any certificate authorities by default. This leaves the user either whitelisting https hosts on a case-by-case basis, or having to configure the CA certificates themselves. Since Fedora ships them, it could trivially set the web.cacerts Mercurial setting to point to the OS CA certificates - thus meaning properly-configured HTTPS Mercurial sites will work out of the box. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. hg clone https://bitbucket.org/davidnorth/eximunit Actual results: See lots of warnings about bitbucket.org certificate with fingerprint [...] not verified (check hostfingerprints or web.cacerts config setting) Expected results: No warnings. Additional info: Drop a file into /etc/mercurial/hgrc.d containing the lines: [web] cacerts = /etc/pki/tls/certs/ca-bundle.crt ... and the problem is solved.
For the record, filed this upstream at http://bz.selenic.com/show_bug.cgi?id=3453, but they suffer from not knowing where to find the OS certs, since that's OS-specific. They weren't keen on hard-coding heuristics either.
OK, done.
It would perhaps be helful to add comment to the config file with a link to http://mercurial.selenic.com/wiki/CACertificates ... and perhaps also update the status on that page. It is a 'big' behavioural change that shouldn't be done in released and 'stable' Fedora versions, but you could perhaps sneak it in as a 0-day update to f17 ... or wait for 2.2.2 in a week.
mercurial-2.2.2-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mercurial-2.2.2-1.fc17
mercurial-2.2.2-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.