fancy new SSL, all thanks to Mercurial

As of today, I finally bit the bullet and installed a real (as in, not self-signed) SSL certificate for my server. It should validate with most browsers out there, but it was relatively inexpensive so I’m not sure how great the compatibility will be.

The main motivating factor was the new version of Mercurial became very irritating when pushing/pulling/cloning/etc from a remote https repository where the certificate was not able to be validated:

chuck@silverstone:~/Documents/cs433$ hg push --insecure https://charliemeyer.net/hg/cs433
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
http authorization required
realm: charliemeyer.net authentication
user: cemeyer2
password: 
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
pushing to https://charliemeyer.net/hg/cs433
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
bundling changes [ <=>                                                                                                                                                                                           ] 0
warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting)
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 2 changesets with 3 changes to 3 files

As you can see from above, not only is the extra noise irritating, but I also have to append “–insecure” to all of my commands. I know I could have modified my hgrc and imported my self-signed certificate, but I already had my global hgrc set up to recognize properly signed repositories:

[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

I do a lot of work with remote hg repositories that do have valid certificates, but also a lot of work with hg repositories on this server, enough work that I didn’t want to import the self-signed certificate for each hgrc file in each clone of a repository I have on every one of machines. Plus, when I go to other machines, it would take a lot of unnecessary configuration just to get it to work properly.

So, to ease the irritation that Mercurial was causing, this server can now be accessed using a “more secure” https than before:

chuck@silverstone:~/Documents/cs433$ hg incoming
comparing with https://cemeyer2:***@charliemeyer.net/hg/cs433
searching for changes
no changes found
  1. No comments yet.

  1. No trackbacks yet.