Re: hg.mozilla.org SSL Certificate Renewal
93 views
Skip to first unread message
ISHIKAWA,chiaki
Oct 20, 2021, 5:56:16 PM10/20/21
to dev-pl...@lists.mozilla.org
On 2020/10/09 7:57, Connor Sheehan wrote:
> tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgrc files.
>
> hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) will be rotated on Monday, October 12th. Bug 1670031 tracks this change.
>
> You may have the certificate’s fingerprint pinned in your hgrc files. Automated jobs may pin the fingerprint as well. If you have the fingerprint pinned, you will need to take action otherwise Mercurial will refuse the connection to hg.mozilla.org once the certificate is swapped.
>
> The easiest way to ensure your pinned fingerprint is up-to-date is to run `mach vcs-setup` from a Mercurial checkout (it can be from an old revision). Both the old and new fingerprints will be pinned and the transition will “just work.” Once the new fingerprint is enabled on the server, run mach vcs-setup again to remove the old fingerprint.
>
> Fingerprints and details of the new certificate (including hgrc config snippets you can copy) are located at Bug 1670031. From a certificate level, this transition is pretty boring: just a standard certificate renewal from the same CA.
>
> The Matrix channel for this operational change will be #vcs. Fallout in Firefox CI should be discussed in #ci. Please track any bugs related to this change against Bug 1668017.
I noticed the change of certificate because I got
abort: certificate for hg.mozilla.org has unexpected fingerprint
sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
(check hostsecurity configuration)
when I ran |hg pull -u| locally to update my tree.
Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
before the server cert change.
Now, it was too late since the cert already changed and I could not run
|mach vcs-setup|.
I had to modify "`/.hgrc/" manually to change the sha256 fingerprint of
the certificate of hg.mozilla.org.
Now, the issue is this.
After |mach| works again with my modification to add the new sha256
fingerprint to ~/.hgrc,
I thought it was prudent to run |mach vcs-setup| so that my hgrc is in a
sane state (or what the maintainer of |mach vcs-setup| would like it to be).
But running |mach vcs-setup| simply removed all the fingerprints (I
have no idea why I had bitbucket.org's fingerprint. I must have used it
7-8 years ago and forgot about it).
Removing all the fingerprints simply means there is no fingerprint check
in the future. |mach| simply accepts any cert coming from the server.
Is it the intended?
The following is the diff printed when I ran |mach vcs-setup| after I
tweaked the sha256 fingerprint so that |mach| can talk to hg.mozilla.org
again.
--- begin quote ---
Would you like to see a diff of the changes first (Yn)? y
--- hgrc.old
+++ hgrc.new
@@ -101,11 +101,6 @@
pager = LESS=FRSXQ less
[hostsecurity]
-bitbucket.org:fingerprints =
sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47
-### old hg.mozilla.org:fingerprints =
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-
-#hg.mozilla.org:fingerprints =
sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-hg.mozilla.org:fingerprints =
sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
[color]
wip.bookmarks = yellow underline
Write changes to hgrc file (Yn)? y
--- end quote ---
You can see that |make vcs-setup| deletes all the fingerprints, but did
not add new one(s).
That is a bit disturbing.
Yes, I know I failed to run |mach vcs-setup| before the server key
change, so the ~/.hgrc is in a strange state with my manual edit.
But I would expect |make vcs-setup| to be idempotent, i.e., if I can run
it (after required tweaking of fingerprint after failed timely update)
so that I can run it again and again and end up with expected ~/.hgrc
all the time (presumably with valid fingerprint for checking.)
I think no fingerprint is obviously unexpected output.
TIA
Chiaki
> tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgrc files.
>
> hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) will be rotated on Monday, October 12th. Bug 1670031 tracks this change.
>
> You may have the certificate’s fingerprint pinned in your hgrc files. Automated jobs may pin the fingerprint as well. If you have the fingerprint pinned, you will need to take action otherwise Mercurial will refuse the connection to hg.mozilla.org once the certificate is swapped.
>
> The easiest way to ensure your pinned fingerprint is up-to-date is to run `mach vcs-setup` from a Mercurial checkout (it can be from an old revision). Both the old and new fingerprints will be pinned and the transition will “just work.” Once the new fingerprint is enabled on the server, run mach vcs-setup again to remove the old fingerprint.
>
> Fingerprints and details of the new certificate (including hgrc config snippets you can copy) are located at Bug 1670031. From a certificate level, this transition is pretty boring: just a standard certificate renewal from the same CA.
>
> The Matrix channel for this operational change will be #vcs. Fallout in Firefox CI should be discussed in #ci. Please track any bugs related to this change against Bug 1668017.
I noticed the change of certificate because I got
abort: certificate for hg.mozilla.org has unexpected fingerprint
sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
(check hostsecurity configuration)
when I ran |hg pull -u| locally to update my tree.
Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
before the server cert change.
Now, it was too late since the cert already changed and I could not run
|mach vcs-setup|.
I had to modify "`/.hgrc/" manually to change the sha256 fingerprint of
the certificate of hg.mozilla.org.
Now, the issue is this.
After |mach| works again with my modification to add the new sha256
fingerprint to ~/.hgrc,
I thought it was prudent to run |mach vcs-setup| so that my hgrc is in a
sane state (or what the maintainer of |mach vcs-setup| would like it to be).
But running |mach vcs-setup| simply removed all the fingerprints (I
have no idea why I had bitbucket.org's fingerprint. I must have used it
7-8 years ago and forgot about it).
Removing all the fingerprints simply means there is no fingerprint check
in the future. |mach| simply accepts any cert coming from the server.
Is it the intended?
The following is the diff printed when I ran |mach vcs-setup| after I
tweaked the sha256 fingerprint so that |mach| can talk to hg.mozilla.org
again.
--- begin quote ---
Would you like to see a diff of the changes first (Yn)? y
--- hgrc.old
+++ hgrc.new
@@ -101,11 +101,6 @@
pager = LESS=FRSXQ less
[hostsecurity]
-bitbucket.org:fingerprints =
sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47
-### old hg.mozilla.org:fingerprints =
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-
-#hg.mozilla.org:fingerprints =
sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-hg.mozilla.org:fingerprints =
sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
[color]
wip.bookmarks = yellow underline
Write changes to hgrc file (Yn)? y
--- end quote ---
You can see that |make vcs-setup| deletes all the fingerprints, but did
not add new one(s).
That is a bit disturbing.
Yes, I know I failed to run |mach vcs-setup| before the server key
change, so the ~/.hgrc is in a strange state with my manual edit.
But I would expect |make vcs-setup| to be idempotent, i.e., if I can run
it (after required tweaking of fingerprint after failed timely update)
so that I can run it again and again and end up with expected ~/.hgrc
all the time (presumably with valid fingerprint for checking.)
I think no fingerprint is obviously unexpected output.
TIA
Chiaki
Andrew Halberstadt
Oct 20, 2021, 6:19:13 PM10/20/21
to ISHIKAWA,chiaki, dev-platform
My understanding is that pinning fingerprints was only ever needed if you use Python < 2.7.5 (or something like that) in addition to an old Mercurial. Given we're entirely on Python 3 and require modern Mercurial, there's no reason to pin fingerprints anymore.
In other words, `mach vcs-setup` removing them is intentional.
--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp.
ISHIKAWA,chiaki
Oct 20, 2021, 10:12:54 PM10/20/21
to dev-pl...@mozilla.org
Thank you for the explanation.
If this was intended, then fine.
I re-read the explanation from five years ago by Gregory Szorc [1], and
it seems that modern python and mercurial can use
CA bundle [presumably stored somewhere in M-C?] to verify cert from
hg.mozilla.org by traversing the chain of trust. Makes sense.
> > The easiest way to ensure your pinned fingerprint is up-to-date is
> to run `mach vcs-setup` from a Mercurial checkout (it can be from an
> old revision). Both the old and new fingerprints will be pinned and
> the transition will “just work.” Once the new fingerprint is enabled
> on the server, run mach vcs-setup again to remove the old fingerprint.
This description may need elaboration. It is no longer true, then, with
modern python and mercurial.
I was worried that what I observed was different from the description above.
TIA
Chiaki
[1]
https://groups.google.com/g/mozilla.dev.platform/c/2wAO695mFnc/m/4pEga1Q-BgAJ?pli=1
On 2021/10/21 7:19, Andrew Halberstadt wrote:
> My understanding is that pinning fingerprints was only ever needed if
> you use Python < 2.7.5 (or something like that) in addition to an old
> Mercurial. Given we're entirely on Python 3 and require modern
> Mercurial, there's no reason to pin fingerprints anymore.
>
> In other words, `mach vcs-setup` removing them is intentional.
>
> On Wed, Oct 20, 2021 at 5:56 PM ISHIKAWA,chiaki <ishi...@yk.rim.or.jp
> <mailto:ishi...@yk.rim.or.jp>> wrote:
>
> On 2020/10/09 7:57, Connor Sheehan wrote:
> > tldr; run `mach vcs-setup` to update the pinned SSL certificate
> in your hgrc files.
> >
> > hg.mozilla.org <http://hg.mozilla.org>’s x509 server certificate
> <mailto:dev-pl...@mozilla.org>" group.
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
If this was intended, then fine.
I re-read the explanation from five years ago by Gregory Szorc [1], and
it seems that modern python and mercurial can use
CA bundle [presumably stored somewhere in M-C?] to verify cert from
hg.mozilla.org by traversing the chain of trust. Makes sense.
> > The easiest way to ensure your pinned fingerprint is up-to-date is
> to run `mach vcs-setup` from a Mercurial checkout (it can be from an
> old revision). Both the old and new fingerprints will be pinned and
> the transition will “just work.” Once the new fingerprint is enabled
> on the server, run mach vcs-setup again to remove the old fingerprint.
modern python and mercurial.
I was worried that what I observed was different from the description above.
TIA
Chiaki
[1]
https://groups.google.com/g/mozilla.dev.platform/c/2wAO695mFnc/m/4pEga1Q-BgAJ?pli=1
On 2021/10/21 7:19, Andrew Halberstadt wrote:
> My understanding is that pinning fingerprints was only ever needed if
> you use Python < 2.7.5 (or something like that) in addition to an old
> Mercurial. Given we're entirely on Python 3 and require modern
> Mercurial, there's no reason to pin fingerprints anymore.
>
> In other words, `mach vcs-setup` removing them is intentional.
>
> On Wed, Oct 20, 2021 at 5:56 PM ISHIKAWA,chiaki <ishi...@yk.rim.or.jp
> <mailto:ishi...@yk.rim.or.jp>> wrote:
>
> On 2020/10/09 7:57, Connor Sheehan wrote:
> > tldr; run `mach vcs-setup` to update the pinned SSL certificate
> in your hgrc files.
> >
> (AKA an “SSL certificate”) will be rotated on Monday, October
> 12th. Bug 1670031 tracks this change.
> >
> > You may have the certificate’s fingerprint pinned in your hgrc
> files. Automated jobs may pin the fingerprint as well. If you have
> the fingerprint pinned, you will need to take action otherwise
> Mercurial will refuse the connection to hg.mozilla.org
> <http://hg.mozilla.org> once the certificate is swapped.
> 12th. Bug 1670031 tracks this change.
> >
> > You may have the certificate’s fingerprint pinned in your hgrc
> files. Automated jobs may pin the fingerprint as well. If you have
> the fingerprint pinned, you will need to take action otherwise
> Mercurial will refuse the connection to hg.mozilla.org
> >
> > The easiest way to ensure your pinned fingerprint is up-to-date
> is to run `mach vcs-setup` from a Mercurial checkout (it can be
> from an old revision). Both the old and new fingerprints will be
> pinned and the transition will “just work.” Once the new
> fingerprint is enabled on the server, run mach vcs-setup again to
> remove the old fingerprint.
> >
> > Fingerprints and details of the new certificate (including hgrc
> config snippets you can copy) are located at Bug 1670031. From a
> certificate level, this transition is pretty boring: just a
> standard certificate renewal from the same CA.
> >
> > The Matrix channel for this operational change will be #vcs.
> Fallout in Firefox CI should be discussed in #ci. Please track any
> bugs related to this change against Bug 1668017.
>
> I noticed the change of certificate because I got
> abort: certificate for hg.mozilla.org <http://hg.mozilla.org> has
> > The easiest way to ensure your pinned fingerprint is up-to-date
> is to run `mach vcs-setup` from a Mercurial checkout (it can be
> from an old revision). Both the old and new fingerprints will be
> pinned and the transition will “just work.” Once the new
> fingerprint is enabled on the server, run mach vcs-setup again to
> remove the old fingerprint.
> >
> > Fingerprints and details of the new certificate (including hgrc
> config snippets you can copy) are located at Bug 1670031. From a
> certificate level, this transition is pretty boring: just a
> standard certificate renewal from the same CA.
> >
> > The Matrix channel for this operational change will be #vcs.
> Fallout in Firefox CI should be discussed in #ci. Please track any
> bugs related to this change against Bug 1668017.
>
> I noticed the change of certificate because I got
> unexpected fingerprint
> sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
> (check hostsecurity configuration)
> when I ran |hg pull -u| locally to update my tree.
>
> Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
> before the server cert change.
>
> Now, it was too late since the cert already changed and I could
> not run
> |mach vcs-setup|.
> I had to modify "`/.hgrc/" manually to change the sha256
> fingerprint of
> the certificate of hg.mozilla.org <http://hg.mozilla.org>.
> sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
> (check hostsecurity configuration)
> when I ran |hg pull -u| locally to update my tree.
>
> Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
> before the server cert change.
>
> Now, it was too late since the cert already changed and I could
> not run
> |mach vcs-setup|.
> I had to modify "`/.hgrc/" manually to change the sha256
> fingerprint of
>
> Now, the issue is this.
> After |mach| works again with my modification to add the new sha256
> fingerprint to ~/.hgrc,
> I thought it was prudent to run |mach vcs-setup| so that my hgrc
> is in a
> sane state (or what the maintainer of |mach vcs-setup| would like
> it to be).
> But running |mach vcs-setup| simply removed all the fingerprints (I
> have no idea why I had bitbucket.org <http://bitbucket.org>'s
> Now, the issue is this.
> After |mach| works again with my modification to add the new sha256
> fingerprint to ~/.hgrc,
> I thought it was prudent to run |mach vcs-setup| so that my hgrc
> is in a
> sane state (or what the maintainer of |mach vcs-setup| would like
> it to be).
> But running |mach vcs-setup| simply removed all the fingerprints (I
> fingerprint. I must have used it
> 7-8 years ago and forgot about it).
> Removing all the fingerprints simply means there is no fingerprint
> check
> in the future. |mach| simply accepts any cert coming from the server.
> Is it the intended?
>
> The following is the diff printed when I ran |mach vcs-setup| after I
> tweaked the sha256 fingerprint so that |mach| can talk to
> hg.mozilla.org <http://hg.mozilla.org>
> 7-8 years ago and forgot about it).
> Removing all the fingerprints simply means there is no fingerprint
> check
> in the future. |mach| simply accepts any cert coming from the server.
> Is it the intended?
>
> The following is the diff printed when I ran |mach vcs-setup| after I
> tweaked the sha256 fingerprint so that |mach| can talk to
> To unsubscribe from this group and stop receiving emails from it,
> send an email to dev-platform...@mozilla.org
> <mailto:dev-platform%2Bunsu...@mozilla.org>.
> send an email to dev-platform...@mozilla.org
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp>.
> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-pl...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dev-platform...@mozilla.org
> <mailto:dev-platform...@mozilla.org>.
> --
> You received this message because you are subscribed to the Google
> Groups "dev-pl...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dev-platform...@mozilla.org
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages