Renewing our certificates, plural

By on April 25, 2018

The certificate behind https://bitbucket.org is up for renewal. We’re planning to switch to our new TLS certificates – one RSA, one ECDSA – at around 00:05 UTC on Friday, 27 April 2018. (SSH traffic will not be affected by this.)

What does this mean? After we deploy our new certificates, some Mercurial users who connect over HTTPS may see a warning or error message about “unexpected fingerprint” or “certificate not verified”. If you see a message like that, check if the error message matches the new fingerprints below:

RSA

SHA1:23:40:D5:EB:C5:02:31:DA:FF:93:D1:4F:5E:C3:A7:D8:32:4F:E9:82

SHA256:BD:0C:FF:27:A2:B4:5D:D6:BC:AE:DA:0A:95:A5:10:29:71:19:4A:5B:97:73:49:7C:1B:14:43:E5:EA:E8:1D:53

ECDSA

SHA1:70:A7:44:EA:A9:EA:E8:69:16:EA:12:00:35:A9:A6:0E:AE:38:8E:F8

SHA256:32:12:90:9A:70:64:82:1C:5B:52:CC:C3:0A:D0:79:DB:E1:A8:62:1B:9A:9A:4C:F4:72:40:1C:A7:3A:D3:0A:8C

If it does match, then you can pin that fingerprint in your ~/.hgrc or Mercurial.ini as follows:

Mercurial versions <=3.8:

[hostfingerprints]
bitbucket.org = FINGERPRINT_HERE

Mercurial versions >= 3.9:

[hostsecurity]
bitbucket.org:fingerprints = FINGERPRINT_HERE

(adding the actual fingerprint in place of “FINGERPRINT_HERE”, of course.)

If you’re using Python 2.7.9 or later, then you may be able to remove the fingerprint from ~/.hgrc or Mercurial.ini entirely. Please see https://www.mercurial-scm.org/wiki/SecureConnections for more information.

Most users should not notice a difference once we make the switch – your system will use ECDSA if it can, and RSA otherwise, and your system will verify the certificates as it needs to. We’ve been running dual RSA and ECDSA certificates on all bitbucket.io hosted pages and on api.bitbucket.org since June 2017, and it has not caused any support tickets, monitoring failures, or tweets.

Happy coding!