headers
Jesus Cea | 1 Aug 2012 05:58
Picon
Favicon

HTTPS repositories failing when using selfsigned certs


My mercurial clone is <https://hg.jcea.es/cpython-2011/>, and today I
can't create a patch from it (in the bug tracker). No explanation in
the web interface, but checking the sourcecode of the resulting page,
I see a SSL certificate failure.

So, looks like bugs.python.org is now verifying repository certificates.

My certificate is selfsigned and, moreover, it is behind a SNI server,
so the certificate python.org is getting is a selfsigned "jcea.es"
certificate.

What can I do, beside buying a "real" cert?.

Do we have a certificate whitelist, like mercurial?. In my .hgrc, I use

"""
[hostfingerprints]
# En realidad es www.jcea.es. hg.jcea.es esta tras SNI
hg.jcea.es = 54:7e:a7:36:56:c6:80:41:f8:fd:d6:c0:95:44:68:a9:93:58:ca:4c
"""

PS: If I try to use the http version of my repository
(<http://hg.jcea.es/cpython-2011>), I get an error: "('invalid token',
97)".

--

-- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea <at> jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea <at> jabber.org         _/_/    _/_/          _/_/_/_/_/
(Continue reading)

Permalink | Reply |
headers
Antoine Pitrou | 1 Aug 2012 14:12

Re: HTTPS repositories failing when using selfsigned certs

On Wed, 01 Aug 2012 05:58:06 +0200
Jesus Cea <jcea <at> jcea.es> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> My mercurial clone is <https://hg.jcea.es/cpython-2011/>, and today I
> can't create a patch from it (in the bug tracker). No explanation in
> the web interface, but checking the sourcecode of the resulting page,
> I see a SSL certificate failure.
> 
> So, looks like bugs.python.org is now verifying repository certificates.
> 
> My certificate is selfsigned and, moreover, it is behind a SNI server,
> so the certificate python.org is getting is a selfsigned "jcea.es"
> certificate.
> 
> What can I do, beside buying a "real" cert?.

Why don't you just use a HTTP URL?

Regards

Antoine.

--

-- 
Software development and contracting: http://pro.pitrou.net
Permalink | Reply |
headers
Antoine Pitrou | 1 Aug 2012 14:19

Re: HTTPS repositories failing when using selfsigned certs

On Wed, 1 Aug 2012 14:12:54 +0200
Antoine Pitrou <solipsis <at> pitrou.net> wrote:

> On Wed, 01 Aug 2012 05:58:06 +0200
> Jesus Cea <jcea <at> jcea.es> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > My mercurial clone is <https://hg.jcea.es/cpython-2011/>, and today I
> > can't create a patch from it (in the bug tracker). No explanation in
> > the web interface, but checking the sourcecode of the resulting page,
> > I see a SSL certificate failure.
> > 
> > So, looks like bugs.python.org is now verifying repository certificates.
> > 
> > My certificate is selfsigned and, moreover, it is behind a SNI server,
> > so the certificate python.org is getting is a selfsigned "jcea.es"
> > certificate.
> > 
> > What can I do, beside buying a "real" cert?.
> 
> Why don't you just use a HTTP URL?

Whoops, I hadn't seen the P.S. in your e-mail:

> PS: If I try to use the http version of my repository
> (<http://hg.jcea.es/cpython-2011>), I get an error: "('invalid token',
> 97)".

In this case the issue with the http version should perhaps be figured
(Continue reading)

Permalink | Reply |

Gmane