info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Notice of hg.mozilla.org x509 certificate change on 2018-10-31
2 views
Skip to first unread message
Gregory Szorc
Oct 30, 2018, 5:20:22 PM10/30/18
to dev-platform, Firefox Dev, firef...@mozilla.com, dev-version-control, release-engineering, auto-...@mozilla.com
hg.mozilla.org's x509 server certificate (AKA an "SSL certificate") will
be rotated around 2018-10-31T17:00 UTC (10:00 PDT). That's less than 24
hours from now. Bug 1495464 tracks.
You may have the certificate's fingerprint pinned in your hgrc files.
Automated jobs may pin the fingerprint as well. *If you have the
fingerprint pinned, you will need to take action otherwise Mercurial will
refuse the connect to hg.mozilla.org once the certificate is swapped.*
The easiest way to ensure your pinned fingerprint is up-to-date is to run
`mach vcs-setup` from a Mercurial checkout (it can be from an old
revision). If running Mercurial 3.9+ (which you should be in order to have
security fixes), both the old and new fingerprints will be pinned and the
transition will "just work." Otherwise you'll need to run `mach vcs-setup`
or take further action after the new certificate is installed. If a new
fingerprint is installed, run `mach vcs-setup` again after the transition
to remove the old fingerprint.
Fingerprints and details of the new certificate (including hgrc config
snippets you can copy) are located at
https://bugzilla.mozilla.org/show_bug.cgi?id=1495464#c6
<https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12>. From a
certificate level, this transition is pretty boring: just a standard
certificate renewal from the same CA.
The IRC channel for this operational change will be #vcs. Fallout in
Firefox CI should be discussed in #ci. Please track any bugs related to
this change against bug 1495464.
be rotated around 2018-10-31T17:00 UTC (10:00 PDT). That's less than 24
hours from now. Bug 1495464 tracks.
You may have the certificate's fingerprint pinned in your hgrc files.
Automated jobs may pin the fingerprint as well. *If you have the
fingerprint pinned, you will need to take action otherwise Mercurial will
refuse the connect to hg.mozilla.org once the certificate is swapped.*
The easiest way to ensure your pinned fingerprint is up-to-date is to run
`mach vcs-setup` from a Mercurial checkout (it can be from an old
revision). If running Mercurial 3.9+ (which you should be in order to have
security fixes), both the old and new fingerprints will be pinned and the
transition will "just work." Otherwise you'll need to run `mach vcs-setup`
or take further action after the new certificate is installed. If a new
fingerprint is installed, run `mach vcs-setup` again after the transition
to remove the old fingerprint.
Fingerprints and details of the new certificate (including hgrc config
snippets you can copy) are located at
https://bugzilla.mozilla.org/show_bug.cgi?id=1495464#c6
<https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12>. From a
certificate level, this transition is pretty boring: just a standard
certificate renewal from the same CA.
The IRC channel for this operational change will be #vcs. Fallout in
Firefox CI should be discussed in #ci. Please track any bugs related to
this change against bug 1495464.
0 new messages