web.cacerts warnings with 1.7.3, how to fix and/or disable check?

Martin Geisler mg at aragost.com
Mon Jan 3 06:05:00 CST 2011 

Lasse Vågsæther Karlsen <lasse at vkarlsen.no> writes:

> I updated to 1.7.3 today and I'm getting warnings about certificate
> checks on the following sites:
>
> * bitbucket
> * kiln
> * codeplex
>
> I assume I would get it on all sites that use https://
>
> So, I wonder if there's any documentation/tutorials telling me how to
> go about getting rid of those warnings. I'm a programmer, and I've
> been taught (by experience) that getting rid of warnings is a good
> thing. If Mercurial 1.7.3 is going to teach me to just ignore that it
> gives me a warning, the one time it is going to warn me about
> something useful, I will miss it. So I'd like to get rid of the
> warning.

Fully agreed...

> Now, let's take CodePlex. I have a repository here:
> https://hg01.codeplex.com/difflib
>
> Pulling from this, gives me:
>
> C:\Dev\VS.NET\DiffLib] :hg pull
> warning: hg01.codeplex.com certificate not verified (check web.cacerts
> config setting)
> pulling from https://lassevk:***@hg01.codeplex.com/difflib
> searching for changes
> no changes found
>
>
> Let's assume I can't really verify that the certificate they use is
> really owned by them, I would assume my "right choice" would be to
> disable the check.
>
> My questions are thus:
>
> * How can I disable the check completely for this case?
> * How could I save a certificate I could use for this case, even
> though I don't necessarily know that it will be valid, let's assume I
> assume it is valid now, so that I can at least catch
> man-in-the-middle-attacks in the future?
>
> I tried just saving the certificate Google Chrome uses for my DiffLib
> repository on CodePlex, but no file format I used worked, I just got
> other error messages instead.

The file format should be PEM:

  http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions

Adrian posted a CA file here:

  http://groups.google.com/group/thg-dev/browse_thread/thread/d47b2c626b66dbb7/

and I wrote how one can use the system cerficates on Debian-based
systems.

-- 
Martin Geisler

aragost Trifork
Professional Mercurial support
http://mercurial.aragost.com/kick-start/

More information about the Mercurial-devel mailing list