From: Emmanuel Kasper Date: Wed, 13 Jul 2016 10:17:03 +0000 (+0200) Subject: Do not use a hardcoded Certificate Authority for https repositories X-Git-Url: https://git.proxmox.com/?p=pve-manager.git;a=commitdiff_plain;h=9829cb0dea4e86c2b3c3f624ed5bdf9b273366d4 Do not use a hardcoded Certificate Authority for https repositories Instead we will the use the CA certificate provided by the ca-certificates packages, which is now a mandatory depency of pve-manager since 067d24db982be44ff64cb5eb61a3297bba6afdc9 and pve-manager 4.2-17. This change allows us in the future to use different CA for our https repositories. This changed has been tested OK with the following combination: * https repository using a StartCom certificate: works * https repository using a Let's encrypt certificate: works User visible changes: * none : the new configuration file 75pveconf silently overwrites the olderone, except if local changes were made in which case you're presented with the traditional debian menu (keep local/ use packager version/ diff / open a shell) --- diff --git a/Makefile b/Makefile index f6874e51..afff8c49 100644 --- a/Makefile +++ b/Makefile @@ -17,13 +17,6 @@ check: %: set -e && for i in ${SUBDIRS}; do ${MAKE} -C $$i $@; done -pve-repo-ca-certificates.crt: - rm -rf ca-tmp - mkdir ca-tmp - cd ca-tmp; wget http://aia.startssl.com/certs/sub.class1.server.ca.pem - cd ca-tmp; wget http://aia.startssl.com/certs/ca.pem - cd ca-tmp; cat *.pem >../$@ - .PHONY: dinstall dinstall: ${DEB} dpkg -i ${DEB} @@ -66,7 +59,7 @@ upload: ${DEB} check # rsync po/*.po po/pve-manager.pot pve.proxmox.com:/home/ftp/sources/po-files/ .PHONY: install -install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf pve-repo-ca-certificates.crt mtu bridgevlan bridgevlanport vlan vlan-down +install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf mtu bridgevlan bridgevlanport vlan vlan-down install -d -m 0700 -o www-data -g www-data ${DESTDIR}/var/log/pveproxy install -D -m 0644 debian/pve.logrotate ${DESTDIR}/etc/logrotate.d/pve install -d ${DESTDIR}/usr/share/${PACKAGE} @@ -80,7 +73,6 @@ install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl pve-apt.conf p install -D -m 0644 pve-apt.conf ${DESTDIR}/etc/apt/apt.conf.d/75pveconf install -D -m 0644 pve-sources.list ${DESTDIR}/etc/apt/sources.list.d/pve-enterprise.list install -D -m 0644 pve-blacklist.conf ${DESTDIR}/etc/modprobe.d/pve-blacklist.conf - install -D -m 0644 pve-repo-ca-certificates.crt ${DESTDIR}/etc/apt/pve-repo-ca-certificates.crt install -D -m 0644 vzdump.conf ${DESTDIR}/etc/vzdump.conf install -D -m 0755 vznet.conf ${DESTDIR}/etc/vz/vznet.conf install -D -m 0755 mtu ${DESTDIR}/etc/network/if-up.d/mtu diff --git a/debian/conffiles b/debian/conffiles index b91e7284..7ad1dd65 100644 --- a/debian/conffiles +++ b/debian/conffiles @@ -7,7 +7,6 @@ /etc/vzdump.conf /etc/logrotate.d/pve /etc/apt/apt.conf.d/75pveconf -/etc/apt/pve-repo-ca-certificates.crt /etc/apt/sources.list.d/pve-enterprise.list /etc/network/if-up.d/mtu /etc/network/if-pre-up.d/vlan diff --git a/pve-apt.conf b/pve-apt.conf index 9708de2f..0391b748 100644 --- a/pve-apt.conf +++ b/pve-apt.conf @@ -5,6 +5,3 @@ APT "^pve-kernel-.*"; }; } - -Acquire::https::enterprise.proxmox.com::CaInfo "/etc/apt/pve-repo-ca-certificates.crt"; -Acquire::https::enterprise.proxmox.com::Verify-Peer "true"; \ No newline at end of file