search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.09k stars 5.47k forks source link

[BUG] Salt Package Repos are https-only #66399

Open NoRePercussions opened 4 months ago

NoRePercussions commented 4 months ago

Description The Salt package repositories (repo.saltproject.io) forces an https connection.

This is a problem for installation environments where SSL certificates cannot be verified, such as at some points of a Debian preseed. During this time, repositories are accessed over http and verified using their GPG key.

Steps to Reproduce the behavior Try to access the package repository over plan http, either in an automated environment or manually.

in-target: Failed to fetch http://repo.saltproject.io/salt/py3/debian/12/amd64/latest/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx 443]

Despite using http, it is redirected to https (as seen by port 443 and cert errors).

$ curl -v http://repo.saltproject.io
* Host repo.saltproject.io:80 was resolved.
* IPv6: ---
* IPv4: ---
*   Trying ---:80...
* Connected to repo.saltproject.io (---) port 80
> GET / HTTP/1.1
> Host: repo.saltproject.io
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: CloudFront
< Date: Thu, 18 Apr 2024 18:20:11 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
< Location: https://repo.saltproject.io/
< X-Cache: Redirect from cloudfront
< Via: 1.1 ---.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: ---
< X-Amz-Cf-Id: ---
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>CloudFront</center>
</body>
</html>
* Connection #0 to host repo.saltproject.io left intact

Expected behavior The repository should allow connections over http for use in environments where SSL is not usable and repositories should be verified via GPG.

Screenshots See above for logs.

welcome[bot] commented 4 months ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!