New Papertrail CA bundle next week

[markdascher]

Papertrail will be updating papertrail-bundle.pem on Tuesday, May 15. The new MD5 checksum will be 2c43548519379c083d60dd9e84a1b724, but given that we might continue updating this file from time to time, I'd recommend against simply hard-coding a new checksum. Instead, either omit the checksum entirely, or embed the entire bundle rather than downloading it. Either option ensures that Papertrail is free to update the source without breaking anyone's deployment.

[MiLk]

Hi @markdascher,

Omitting the checksum is not a good option either, as a 3rd party could introduce their own bundle to hijack the connection. Embedding the whole bundle is not a solution either as it would require more work to update the bundle.

As a quick workaround, you can simply change the papertrail_pem_checksum variable in your inventory to the new value from next Tuesday. A PR can be raised to update it here directly too.

I think we could add an option to the role to allow to not verify the checksum but this should be off by default.

[markdascher]

Thanks @MiLk! I should point out that a 3rd party would have a tough time introducing their own bundle, as it is downloaded from https://papertrailapp.com/tools/papertrail-bundle.pem, which is secured with HTTPS. (And validate_certs is yes by default.)

My experience is that customers prefer to not have their deployments randomly break, hence the suggestion to either trust an HTTPS download or skip it entirely. But I have less experience with Ansible, so if this is the norm with Ansible roles, then perhaps everyone expects to update checksums occasionally.

[MiLk]

One idea would be to not verify the checksum if papertrail_pem_checksum is set to an empty string.