hg.mozilla.org SSL Certificate Renewal

tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgr=
c files.

hg.mozilla.org=E2=80=99s x509 server certificate (AKA an =E2=80=9CSSL certi=
ficate=E2=80=9D) will be rotated on Monday, October 12th. Bug 1670031 track=
s this change.

You may have the certificate=E2=80=99s fingerprint pinned in your hgrc file=
s. Automated jobs may pin the fingerprint as well. If you have the fingerpr=
int pinned, you will need to take action otherwise Mercurial will refuse th=
e connection to hg.mozilla.org once the certificate is swapped.

The easiest way to ensure your pinned fingerprint is up-to-date is to run `=
mach vcs-setup` from a Mercurial checkout (it can be from an old revision).=
 Both the old and new fingerprints will be pinned and the transition will =
=E2=80=9Cjust work.=E2=80=9D Once the new fingerprint is enabled on the ser=
ver, run mach vcs-setup again to remove the old fingerprint.

Fingerprints and details of the new certificate (including hgrc config snip=
pets you can copy) are located at Bug 1670031. From a certificate level, th=
is transition is pretty boring: just a standard certificate renewal from th=
e same CA.

The Matrix channel for this operational change will be #vcs. Fallout in Fir=
efox CI should be discussed in #ci. Please track any bugs related to this c=
hange against Bug 1668017.
0
Connor
10/8/2020 10:57:33 PM
mozilla.dev.platform 6644 articles. 0 followers. Post Follow

1 Replies
5 Views

Similar Articles

[PageSpeed] 17

Has FALLBACK_FINGERPRINT (in taskcluster/scripts/run-task) been
updated for this change?

- Kyle

On Thu, Oct 8, 2020 at 4:00 PM Connor Sheehan <sheehan@mozilla.com> wrote:
>
> tldr; run `mach vcs-setup` to update the pinned SSL certificate in your h=
grc files.
>
> hg.mozilla.org=E2=80=99s x509 server certificate (AKA an =E2=80=9CSSL cer=
tificate=E2=80=9D) will be rotated on Monday, October 12th. Bug 1670031 tra=
cks this change.
>
> You may have the certificate=E2=80=99s fingerprint pinned in your hgrc fi=
les. Automated jobs may pin the fingerprint as well. If you have the finger=
print pinned, you will need to take action otherwise Mercurial will refuse =
the connection to hg.mozilla.org once the certificate is swapped.
>
> The easiest way to ensure your pinned fingerprint is up-to-date is to run=
 `mach vcs-setup` from a Mercurial checkout (it can be from an old revision=
). Both the old and new fingerprints will be pinned and the transition will=
 =E2=80=9Cjust work.=E2=80=9D Once the new fingerprint is enabled on the se=
rver, run mach vcs-setup again to remove the old fingerprint.
>
> Fingerprints and details of the new certificate (including hgrc config sn=
ippets you can copy) are located at Bug 1670031. From a certificate level, =
this transition is pretty boring: just a standard certificate renewal from =
the same CA.
>
> The Matrix channel for this operational change will be #vcs. Fallout in F=
irefox CI should be discussed in #ci. Please track any bugs related to this=
 change against Bug 1668017.
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
0
Kyle
10/13/2020 9:50:43 PM
Reply: