SSL host certificate changed

If you have the SSL certificate for this site cached in your Mercurial configuration, you'll need to update it now
Added by Chris Cannam about 7 years ago

What's changed?

The SSL certificate for this site has just been updated. You shouldn't notice any difference when simply browsing through https, but if you have stored the host fingerprint in your Mercurial configuration, you'll need to update it.

The new certificate has fingerprint

0d:ff:f3:46:55:7a:be:4c:00:4c:82:9b:cf:71:13:03:b2:08:25:4d

Background, or, Why would I need to do this?

When you use Mercurial to pull from an https URL that is unknown to the hg client, Mercurial will complain about it with a warning like this:

warning: code.soundsoftware.ac.uk certificate with fingerprint 0d:ff:f3:46:55:7a
:be:4c:00:4c:82:9b:cf:71:13:03:b2:08:25:4d not verified (check hostfingerprints
or web.cacerts config setting)

You can avoid this warning by storing the certificate fingerprint in your Mercurial configuration.

To do so, add the following lines to the .hgrc file in your home directory:

[hostfingerprints]
code.soundsoftware.ac.uk=0d:ff:f3:46:55:7a:be:4c:00:4c:82:9b:cf:71:13:03:b2:08:25:4d

Then Mercurial will check the certificate and continue silently if it is correct, but will refuse to continue at all if the certificate doesn't match (because that could indicate a serious security problem).

But this does mean that if the host key ever changes legitimately (as it just has), you will need to update the configuration by hand. The lines above show the new fingerprint, so if you have the old one stored, you should change it to that.


Comments