aptly needs option for securing https client connections with certificate

[dankegel]

It would be good if aptly could mirror a remote apt repository that was secured via https client certificates (see e.g. http://nategood.com/client-side-certificate-authentication-in-ngi http://serverfault.com/questions/340887/using-a-self-signed-ssl-cert-for-an-https-based-internal-apt-repository https://onebitbug.me/2014/08/09/setting-up-secure-private-ppa/ )

Workaround may be to use stunnel and unmodified aptly.

(I'm no go programmer, but if I were implementing this myself, I might google at random for an example like https://gist.github.com/michaljemala/d6f4e01c4834bf47a9c4 and just start hacking :-)

[dankegel]

Here's a log from the affected user:

$ aptly mirror create -keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg  foobar-repo-clone https://pkgs.foobar.com/foobar-ubuntu/trusty trusty main

Downloading https://pkgs.foobar.com/foobar-ubuntu/trusty/dists/trusty/InRelease... Downloading https://pkgs.foobar.com/foobar-ubuntu/trusty/dists/trusty/Release... ERROR: unable to fetch mirror: https://pkgs.foobar.com/foobar-ubuntu/trusty/dists/trusty/Release: Get https:/foobar-ubuntu/trusty/dists/trusty/Release: x509: certificate signed by unknown authority

[toninog]

Did you ever get this working ? Or is it still an issue ?

I have the same problem.

[dankegel]

stunnel seems to be an ok workaround. An stunnel.conf like this:

cert = /opt/foobar/foo.client.crt key = /opt/foobar/foo.client.key client = yes [foobar] accept = 127.0.0.1:8889 connect = pkgs.foobar.com:443

seemed to allow aptly to access the repo via a tunnel.

[toninog]

Thanks for the reply - appreciate the answer.

This seems a bit of a Kludge :) is there a way to that the CA cert of the self signed certificate can be added so that Aptly trusts the new CA ?

I've added the certs to the /usr/share/ca-certificates folder (ubuntu) and run a : dpkg-reconfigure ca-certificates

I can see the cert is there - but Aptly still does not read it or use it. How does Aptly manage other certificates ?

[smira]

@dankegel @toninog it seems that there are two questions:

1. How to make aptly trust self-signed server TLS certificate?
2. How to make aptly supply client TLS certificate while making HTTPS requests?

Am I right?

[dankegel]

Correct. Aptly should already be capable of #1 given proper system configuration.

2 is an enhancement request, and stunnel is a mostly sufficient workaround for people who need that functionality now. IMHO. The target user who asked me for this hasn't really used it in practice, but I think he got past this problem using stunnel.

[toninog]

Correct. The real issue is that when accessing a site that has a self-signed certificate for https, aptly has no options to "bypass" or "ignore" the certificate.

[dankegel]

That's a completely different issue than the one I was reporting. Feel free to file a new enhancement request for that.

[toninog]

sure. Looks like the same thing, but I guess I was wrong

[ghost]

I've run the problem mentioned by @dankegel in regard to using apt with locally provided TLS certs. My environment has a primary aptly instance and I needed another mirror of it within a different DC/region.

The following has worked for me & sharing for those needing a work around in the meantime.

apt is configured as:

• /etc/apt/apt.conf.d/99apt-internal

Acquire::http::Proxy {
    deb.example.com          "DIRECT";
};

Acquire::https::deb.example.com {
    Verify-Peer         "true";
    Verify-Host         "true";
    CaInfo              "/usr/share/apt-internal/ssl/debian-internal--ca.crt";
    SslCert             "/usr/share/apt-internal/ssl/debian-internal--client.crt";
    SslKey              "/usr/share/apt-internal/ssl/debian-internal--client.key";
};

APT::Get::Show-Versions "true";

Expanding on stunnel, add a configuration similar to the following pointing at the apt TLS client certs:

• /etc/stunnel/aptly_proxy.conf

setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel.pid

CAFile = /usr/share/apt-internal/ssl/debian-internal--ca.crt
cert = /usr/share/apt-internal/ssl/debian-internal--client.crt
key = /usr/share/apt-internal/ssl/debian-internal--client.key
client = yes

[aptly_proxy]
accept = 127.0.0.1:8889
connect = deb.example.com:443

Start stunnel as normal & then mirror the host as normal, (still working out the GPG part).

aptly -ignore-signatures mirror create sid-ci http://127.0.0.1:8889/debian-ci sid-ci
aptly -ignore-signatures mirror update sid-ci

Hope this helps anyone encountering the same issue.

[everestmz]

Is anybody actively working on this? I have the (bare minimum) functionality working in a fork (https://github.com/everestmz/aptly/commit/7d4586f46a2ffea3500d686300b93d0da40c6136). I'd be happy to clean it up, turn the env vars into flags etc and make a pull request, if it would be useful.

CC @smira since I don't think anyone is monitoring this issue. Please let me know if I should ping someone else.

[everestmz]

CC @lbolla - it looks like Andrey is no longer maintaining aptly

[lbolla]

@everestmz Sorry for the late reply. I'd be happy to look at your PR and merge it.