Author: onefang Date: To: 'dng' Subject: Re: [DNG] SSL certificate or host mapping for ASCII updates for APT
On 2021-04-09 18:40:16, Olaf Meeuwissen via Dng wrote: > Hi Chris,
> crichmon@??? writes:
> > On 2021-04-08 15:32, Joril wrote:
> >> On 08/04/21 16:40, crichmon@??? wrote:
> >> > I'm trying to 'apt update' an ascii box, and the repos in the
> >> > aptsource list point here:
> >> >
> >> > deb http://us.deb.devuan.org/merged ascii main non-free contrib
> >> I think that "country mirrors" are deprecated, try using just
> >> deb.devuan.org
Correct, country codes like that are deprecated, but I'm working on
bringing them back. Do not use them now.
> > Actually, I did already try that after reading the docs on the web again,
> > and get the same problems using the same debugging tools.
> > Sparing the details.
> > /tmp# host deb.devuan.org
> > deb.devuan.org is an alias for deb.roundr.devuan.org.
> > <several IP's listed>
> > Trying to browse http://deb.devuan.org/ still fails.
> The package repositories aren't really meant for browser-based perusal
> but http://deb.devuan.org/ displays fine, as in an Apache/2.4 directory
> listing, for me. That may be because I chanced upon an IP address that
> supports that but if you *really* have SSL certificate issues, I guess
> your browser is *forcing* HTTPS upon you. Regular HTTP URLs don't use
Apt still uses HTTP if you ask it to use that, so the web servers don't
act any different, it's all HTTP protocol. So you CAN browse mirrors
using a web browser, so long as they are HTTP mirrors. There are also
FTP and RSYNC mirrors, but they all support HTTP at least.
> # You might want to make sure you add that http:// at the beginning of
> # that URL in your browser's location bar.
> > What I hadn't tried was 'apt update', which I'm doing now after
> > updating sources.list, and it is working, so apt doesn't exactly have
> > the same cert issues.
> That's because APT uses HTTP, not HTTPS, per your URL.
> APT downloads a signed InRelease file and checks that using GnuPG keys
> from the devuan-keyring package. If that checks out fine, the checksums
> in that file are used to verify the Packages and Sources files which, in
> turn contain checksums for the individual packages that are verified
> before `apt` goes ahead and install things.
> That is to say, APT doesn't rely on SSL certificates but on GnuPG keys
> to make sure you get exactly what the package maintainers intended.
> Hope this helps,
You are mostly correct. Apt CAN use https, but didn't by default, coz
the apt HTTPS transport isn't installed by default. I think it is
installed by default in Beowulf. However, it still only uses HTTPS if
the URLs in sources are https.
As for the deb.devuan.org round robin DNS, it picks one of our Devuan
package mirrors (at random I think) to send apt and http requests to.
Those mirrors do not have valid certificates for deb.devuan.org, but may
have valid certificates for whatever that servers actual domain name is.
If you really want to use HTTPS for apt, pick a nearby one from -
There is a further complication in some mirror servers auto convert HTTP
to HTTPS, which they should not do if they are responding to
deb.devuan.org, or if they are not redirecting to a Debian mirror. Coz
they have no idea if the Debian mirror round robin DNS system will send
the request to a Debian mirror that doesn't support a proper HTTPS cert
for the round robin DNS name.
TL;DR - don't use the CC.deb.devuan.org names, don't use https for
deb.devuan.org, do use https only with those mirrors that support HTTPS.
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.
This message was posted to the following mailing lists: