[pve-devel] [pve-manager] Do not use a hardcoded Certificate Authority for https repositories

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Aug 17 13:42:15 CEST 2016


applied for 4.2 and cherry-picked for 3.4

On Wed, Jul 13, 2016 at 12:17:03PM +0200, Emmanuel Kasper wrote:
> Instead we will the use the CA certificate provided by the
> ca-certificates packages, which is now a mandatory depency of
> pve-manager since 8204daafaf4063dabd8a23c36dfb16719650d2fc and
> pve-manager 4.2-17. This change allows us in the future to
> use different CA for our https repositories.
> 
> This changed has been tested OK with the following combination:
>  * https repository using a StartCom certificate: works
>  * https repository using a Let's encrypt certificate: works
> 
> User visible changes:
>  * none : the new configuration file 75pveconf silently
>  overwrites the olderone, except if local changes were made
>  in which case you're presented with the traditional debian menu
>  (keep local/ use packager version/ diff / open a shell)
> ---
>  Makefile         | 10 +---------
>  debian/conffiles |  1 -
>  pve-apt.conf     |  3 ---
>  3 files changed, 1 insertion(+), 13 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index f6874e5..afff8c4 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -17,13 +17,6 @@ check:
>  %:
>  	set -e && for i in ${SUBDIRS}; do ${MAKE} -C $$i $@; done
>  
> -pve-repo-ca-certificates.crt:
> -	rm -rf ca-tmp
> -	mkdir ca-tmp
> -	cd ca-tmp; wget http://aia.startssl.com/certs/sub.class1.server.ca.pem
> -	cd ca-tmp; wget http://aia.startssl.com/certs/ca.pem
> -	cd ca-tmp; cat *.pem >../$@
> -
>  .PHONY: dinstall
>  dinstall: ${DEB}
>  	dpkg -i ${DEB}
> @@ -66,7 +59,7 @@ upload: ${DEB} check
>  #	rsync po/*.po po/pve-manager.pot pve.proxmox.com:/home/ftp/sources/po-files/
>  
>  .PHONY: install
> -install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf pve-repo-ca-certificates.crt mtu bridgevlan bridgevlanport vlan vlan-down
> +install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf mtu bridgevlan bridgevlanport vlan vlan-down
>  	install -d -m 0700 -o www-data -g www-data ${DESTDIR}/var/log/pveproxy
>  	install -D -m 0644 debian/pve.logrotate ${DESTDIR}/etc/logrotate.d/pve
>  	install -d ${DESTDIR}/usr/share/${PACKAGE}
> @@ -80,7 +73,6 @@ install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf p
>  	install -D -m 0644 pve-apt.conf ${DESTDIR}/etc/apt/apt.conf.d/75pveconf
>  	install -D -m 0644 pve-sources.list ${DESTDIR}/etc/apt/sources.list.d/pve-enterprise.list
>  	install -D -m 0644 pve-blacklist.conf ${DESTDIR}/etc/modprobe.d/pve-blacklist.conf
> -	install -D -m 0644 pve-repo-ca-certificates.crt ${DESTDIR}/etc/apt/pve-repo-ca-certificates.crt
>  	install -D -m 0644 vzdump.conf ${DESTDIR}/etc/vzdump.conf
>  	install -D -m 0755 vznet.conf ${DESTDIR}/etc/vz/vznet.conf
>  	install -D -m 0755 mtu ${DESTDIR}/etc/network/if-up.d/mtu
> diff --git a/debian/conffiles b/debian/conffiles
> index b91e728..7ad1dd6 100644
> --- a/debian/conffiles
> +++ b/debian/conffiles
> @@ -7,7 +7,6 @@
>  /etc/vzdump.conf
>  /etc/logrotate.d/pve
>  /etc/apt/apt.conf.d/75pveconf
> -/etc/apt/pve-repo-ca-certificates.crt
>  /etc/apt/sources.list.d/pve-enterprise.list
>  /etc/network/if-up.d/mtu
>  /etc/network/if-pre-up.d/vlan
> diff --git a/pve-apt.conf b/pve-apt.conf
> index 9708de2..0391b74 100644
> --- a/pve-apt.conf
> +++ b/pve-apt.conf
> @@ -5,6 +5,3 @@ APT
>  	"^pve-kernel-.*";
>    };
>  }
> -
> -Acquire::https::enterprise.proxmox.com::CaInfo "/etc/apt/pve-repo-ca-certificates.crt";
> -Acquire::https::enterprise.proxmox.com::Verify-Peer "true";
> \ No newline at end of file
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




More information about the pve-devel mailing list