info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
hg.mozilla.org x509 certificate change on 2018-10-31
3 views
Skip to first unread message
Gregory Szorc
Oct 11, 2018, 7:02:01 AM10/11/18
to dev-version-control, auto-tools, release-engineering, tools-taskcluster, release drivers, firefox-ci
The hg.mozilla.org x509 certificate (aka "SSL certificate") expires in a
few weeks and a new certificate will be installed on 2018-10-31 around 1700
UTC (1000 PDT). Bug 1495464 tracks.
At this time, clients pinning the certificate fingerprint (which should be
all clients in CI) should update their configs to recognize the new
fingerprint. https://bugzilla.mozilla.org/show_bug.cgi?id=1495464#c6
contains the hgrc config snippets you will want to copy and paste into your
configs.
Mercurial 3.9+ supports pinning multiple SHA-256 fingerprints. So you can
pin both the current/old and future/new certificate fingerprints *today*
and the transition should "just work." After the certificate transition,
the old certificate's fingerprint can be removed.
If you aren't using Mercurial 3.9+, you should update CI to a newer
Mercurial, preferably 4.7.2, which is the latest available. (If your
Mercurial is that old, it is susceptible to known security bugs and should
have been upgraded a long time ago.)
Please chain all bugs up to bug 1495464.
For reference, we last changed certificates ~2 years ago and that was
tracked in bug 1147548.
A broader announcement/reminder will be sent to these and wider
distribution lists as we get closer to the transition date. This
announcement is intended to notify non-human service consumers and those
who care about release pipeline stability.
If you have any questions, reply to dev-versi...@lists.mozilla.org
and/or make noise on a bug chaining to bug 1495464.
few weeks and a new certificate will be installed on 2018-10-31 around 1700
UTC (1000 PDT). Bug 1495464 tracks.
At this time, clients pinning the certificate fingerprint (which should be
all clients in CI) should update their configs to recognize the new
fingerprint. https://bugzilla.mozilla.org/show_bug.cgi?id=1495464#c6
contains the hgrc config snippets you will want to copy and paste into your
configs.
Mercurial 3.9+ supports pinning multiple SHA-256 fingerprints. So you can
pin both the current/old and future/new certificate fingerprints *today*
and the transition should "just work." After the certificate transition,
the old certificate's fingerprint can be removed.
If you aren't using Mercurial 3.9+, you should update CI to a newer
Mercurial, preferably 4.7.2, which is the latest available. (If your
Mercurial is that old, it is susceptible to known security bugs and should
have been upgraded a long time ago.)
Please chain all bugs up to bug 1495464.
For reference, we last changed certificates ~2 years ago and that was
tracked in bug 1147548.
A broader announcement/reminder will be sent to these and wider
distribution lists as we get closer to the transition date. This
announcement is intended to notify non-human service consumers and those
who care about release pipeline stability.
If you have any questions, reply to dev-versi...@lists.mozilla.org
and/or make noise on a bug chaining to bug 1495464.
0 new messages