Re: bit off topic: bitbucket fingerprint problem
On Thu, Nov 10, 2016 at 5:26 AM, Uwe Brauer wrote: > > A couple of weeks ago I had a problem with fingerprint on the bitbucket > site. Mads advised me > >> Modern Python and Mercurial has proper support for system CAs. There >> is thus no longer much need for hostfingerprints ... unless you want >> to be really secure and manage trust manually and update your >> configuration when sites renew their certificate. > >> Just remove that entry and you should be fine. > > > When this was done the following error poped up: > > abort: error: _ssl.c:510: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > > So that looks as if the fingerprint were missing. > Is that the full output? Do you not see any warning messages before this abort? Without an additional warning message, my guess is that CAs were loaded. However, the CA for bitbucket.org is not present and thus the cert is failing to verify. If that's true, the workaround is to update your CA bundle file (your distro should provide a modern copy but if your distro isn't receiving package updates...). You can grab a bundle file from https://curl.haxx.se/docs/caextract.html. Or you can install the "certifi" Python package via `pip install certifi`. If this is the only message we show in case of missing CA, that error messaging is horrible and could be improved. I'll investigate that... ___ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial
Re: bit off topic: bitbucket fingerprint problem
A couple of weeks ago I had a problem with fingerprint on the bitbucket site. Mads advised me > Modern Python and Mercurial has proper support for system CAs. There > is thus no longer much need for hostfingerprints ... unless you want > to be really secure and manage trust manually and update your > configuration when sites renew their certificate. > Just remove that entry and you should be fine. When this was done the following error poped up: abort: error: _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed So that looks as if the fingerprint were missing. Any ideas? Thanks Uwe Brauer ___ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial
Re: bit off topic: bitbucket fingerprint problem
> On 10/18/2016 02:30 PM, Uwe Brauer wrote: > Modern Python and Mercurial has proper support for system CAs. There > is thus no longer much need for hostfingerprints ... unless you want > to be really secure and manage trust manually and update your > configuration when sites renew their certificate. > Just remove that entry and you should be fine. Ok, I changed the fingerprint to the fingerprint he was expecting and it worked. Still do no understand why it works on one machine with fingerprint 1 and on another machine with fingerprint 2. But I think you are right best is not to use fingerprints at all. Thanks Uwe ___ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial
Re: bit off topic: bitbucket fingerprint problem
On 10/18/2016 02:30 PM, Uwe Brauer wrote: Hi This is very odd. A colleague of mine has the following .hgrc file in his home directory (Ubuntu 14.04) [hostfingerprints] bitbucket.org = 3f:d3:c5:17:23:3c:cd:f5:2d:17:76:06:93:7e:ee:97:42:21:14:aa However when he wants to clone a repository he obtains abort: certificate for bitbucket.org has unexpected fingerprint 65:5c:7c:e1:b4:23:f0:2b:0f:68:21:28:5b:ef:9b:5b:63:ed:ca:19 (check hostfingerprint configuration) He has no other .hgrc file so I don't understand that message. If anybody had made similar experience and knew the solution, I highly would appreciate it. Modern Python and Mercurial has proper support for system CAs. There is thus no longer much need for hostfingerprints ... unless you want to be really secure and manage trust manually and update your configuration when sites renew their certificate. Just remove that entry and you should be fine. /Mads ___ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial