Putting this in my .hgrc did the trick.
[hostfingerprints]
bitbucket.org = 45:ad:ae:1a:cf:0e:73:47:06:07:e0:88:f5:cc:10:e5:fa:1c:f7:99
You should check the fingerprint first by viewing the host’s certificate. But if all looks fine you could use the above approach to do away with those pesky warnings.
See https://confluence.atlassian.com/display/BBKB/abort%3A+certificate+for+bitbucket.org+has+unexpected+fingerprint