Renewing bitbucket.org certificates

The certificate behind https://bitbucket.org is up for renewal. We're planning to switch to our new TLS certificates – one RSA, one ECDSA – at around 00:05 UTC on Wednesday, 15 April 2020. (SSH traffic will not be affected by this.)

What does this mean? After we deploy our new certificates, some Mercurial users who connect over HTTPS may see a warning or error message about "unexpected fingerprint" or "certificate not verified". If you see a message like that, check if the error message matches the new fingerprints below:

RSA

  SHA1:50:0F:6D:B9:64:FC:A5:DF:1F:0A:48:8A:C3:0A:01:0B:15:A6:1B:60
  SHA256:C7:93:98:FC:DA:7F:CE:54:09:35:97:6C:E2:DC:90:1C:80:B9:C6:3A:D4:CC:62:BC:BE:25:4D:B5:E9:A2:4D:58

ECDSA

  SHA1:4E:6A:4C:3B:82:15:EF:DF:97:38:5E:50:EF:B9:86:42:84:3B:89:F0
  SHA256:5E:7E:34:26:F0:DB:84:8F:53:5D:3E:A5:63:B2:FD:A0:88:3F:9D:1C:53:72:67:83:1C:A3:7F:34:D1:29:D6:86

If it does match, then you can pin that fingerprint in your ~/.hgrc or Mercurial.ini as follows:

Mercurial versions <=3.8:

  [hostfingerprints]
bitbucket.org = FINGERPRINT_HERE

Mercurial versions >= 3.9:

  [hostsecurity]
bitbucket.org:fingerprints = FINGERPRINT_HERE

(adding the actual fingerprint in place of "FINGERPRINT_HERE", of course.)

If you're using Python 2.7.9 or later, then you may be able to remove the fingerprint from ~/.hgrc or Mercurial.ini entirely. Please see https://www.mercurial-scm.org/wiki/SecureConnections for more information.

Please keep in mind that Mercurial repositories will be supported until June 1st, 2020. Read here for more information.

Most users should not notice a difference once we make the switch – your system will use ECDSA if it can, and RSA otherwise, and your system will verify the certificates as it needs to.

Happy coding!