fancy new SSL, all thanks to Mercurial
As of today, I finally bit the bullet and installed a real (as in, not self-signed) SSL certificate for my server. It should validate with most browsers out there, but it was relatively inexpensive so I’m not sure how great the compatibility will be.
The main motivating factor was the new version of Mercurial became very irritating when pushing/pulling/cloning/etc from a remote https repository where the certificate was not able to be validated:
chuck@silverstone:~/Documents/cs433$ hg push --insecure https://charliemeyer.net/hg/cs433 warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) http authorization required realm: charliemeyer.net authentication user: cemeyer2 password: warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) pushing to https://charliemeyer.net/hg/cs433 warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) searching for changes warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) bundling changes [ <=> ] 0 warning: charliemeyer.net certificate with fingerprint b0:f2:09:06:87:32:b1:8d:cc:7f:51:09:07:28:44:45:8d:86:f8:fd not verified (check hostfingerprints or web.cacerts config setting) remote: adding changesets remote: adding manifests remote: adding file changes remote: added 2 changesets with 3 changes to 3 files
As you can see from above, not only is the extra noise irritating, but I also have to append “–insecure” to all of my commands. I know I could have modified my hgrc and imported my self-signed certificate, but I already had my global hgrc set up to recognize properly signed repositories:
[web] cacerts = /etc/ssl/certs/ca-certificates.crt
I do a lot of work with remote hg repositories that do have valid certificates, but also a lot of work with hg repositories on this server, enough work that I didn’t want to import the self-signed certificate for each hgrc file in each clone of a repository I have on every one of machines. Plus, when I go to other machines, it would take a lot of unnecessary configuration just to get it to work properly.
So, to ease the irritation that Mercurial was causing, this server can now be accessed using a “more secure” https than before:
chuck@silverstone:~/Documents/cs433$ hg incoming comparing with https://cemeyer2:***@charliemeyer.net/hg/cs433 searching for changes no changes found
