Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fedora kickstart script downloads CA cert bundle over HTTP #318

Closed
mdekstrand opened this issue Feb 6, 2015 · 1 comment
Closed

Fedora kickstart script downloads CA cert bundle over HTTP #318

mdekstrand opened this issue Feb 6, 2015 · 1 comment

Comments

@mdekstrand
Copy link

The kickstart scripts for Fedora (at least) download a new CA certificate bundle over unsecured HTTP from curl.haxx.se.

It seems to me that this should be done in some more secure fashion, if it is needed at all. Why does the CA cert bundle need to be updated, rather than using the one shipped by Fedora?

I have not reviewed the other build definitions to see if they also do this.

@juliandunn
Copy link
Contributor

Indeed. It's probably just copypasta legacy from a CentOS 5 definition so that the wget of https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub works in vagrant.sh without SSL warnings.

I'm happy to take a PR to remove this, as long as that wget still works.

jtimberman pushed a commit that referenced this issue Feb 24, 2015
This addresses both concerns of #318 and #325. We were downloading the
SSL CA bundle over http because at the point in time when we wanted to
even do that we might not have been in a state where the SSL
certificates from curl.haxx.se could be verified. Using http is just
as good at that point as using SSL without verification. However...

This addresses the concern raised in #325, whereby the upstream
cacert.pem removed certificates used by services such as AWS S3,
causing SSL connections to those sites to fail to verify. We should
rely on the ca-bundle.crt that comes with the openssl package on the
platforms in question (centos/fedora).
juliandunn added a commit that referenced this issue Feb 24, 2015
legal90 added a commit to legal90/bento that referenced this issue Nov 24, 2015
* commit '8f09552fff04535f8f57e3ab423d45784fad1313':
  Fixes chef#325, chef#318 - don't download cacert.pem
  change mirror to http.debian.net, fixes chef#322
  Fix minor typo in vm_name.
  update to debian 7.8
  Added links to Fedora 21 boxes
  Update to Ubuntu 14.04.1. Fixes chef#290
  Change company domain name to chef.io
  Update travis.yml for opscode to chef org rename
  Added Fedora 21 VB base boxes to README
  Remove EOL Fedora 19 content
  Fedora 19 is EOL as of January 6, 2015. https://lists.fedoraproject.org/pipermail/announce/2015-January/003248.html
  Make script zypper-locks.sh workable

Conflicts:
	packer/debian-7.8-amd64.json
	packer/debian-7.8-i386.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants