Certification verification failed

egberts

New Member
May 1, 2021
14
1
3
62
Trying to set the Debian apt sources.list using https URI instead of http in compliance with many computer security standards.

Am getting following error:

```
$apt update

Err:8 https://download.proxmox.com/debian/pve buster Release
Certificate verification failed: The certificate is NOT trusted.
The name in the certificate does not match the expected.
Could not handshake: Error in the certificate verification.
[144.217.225.162 443]
```

so this is it? We must use this download in an unsecured manner?

Community edition, for my home lab.
 

ph0x

Renowned Member
Jul 5, 2020
1,221
194
63
/dev/null
security.debian.org exclusively runs over http ...
The packages are signed in order to mitigate tampering, so what benefit would TLS bring?
 

egberts

New Member
May 1, 2021
14
1
3
62
the installer-loader crafted by Proxmox and placed in Proxmox ISO could easily be that unchecksumed/unverifiable executable and slipped into the HTTP data stream quite easily using most Man-in-the-Middle that are available in Github/Gitlab. Of course, same MitM’d ISO can also match the sha256sum easily (as most people disregard to check for the exact file size).
Debian package management can do verification of each packages of files that THEY themselves installed but would NOT detect files being furtively installed outside of Debian apt.
- That would be a nice place for a persistent malware … to persist, no?

It’s a good idea to secure that channel.

And I use https with security.debian.org repository.
 
Last edited:

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,609
1,430
164
TLS is not used to ensure authenticity for package downloads (authenticity is guaranteed via GPG signatures on the repository indices, which transitively protect the package/sources/.. indices, which transitively protect the individual package and other files downloaded).

the only benefit you get by using a TLS-enabled publicly available repository is a neglible amount of privacy (neglible since it's fairly trivial to correlate the amount of downloaded data with package indices/packages, since the data used for comparison is public). the only APT repos by proxmox available via TLS are the enterprise ones, and that is mainly because they require authentication of the PVE system to the repository server, which in turn requires an encrypted connection in order to not leak the credentials to any observer.

See https://wiki.debian.org/SecureApt for some background on how APT works.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,536
918
163
It’s a good idea to secure that channel.
If you still think the update repo over http is not secure, you can get a subscription. The enterprise repo works with https.
 
  • Like
Reactions: egberts

egberts

New Member
May 1, 2021
14
1
3
62
If you still think the update repo over http is not secure, you can get a subscription. The enterprise repo works with https.
that’s an interesting business model, that is until a persistent script appears that cannot be verified or removed by either Debian nor Proxmox APT protection.

Thank you for the clarification.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,536
918
163
that’s an interesting business model
This is not our business model, its just how our repos are organized.

Packages are secured with GPG signatures (not with "https"...)
 
  • Like
Reactions: kofik

egberts

New Member
May 1, 2021
14
1
3
62
TLS is not used to ensure authenticity for package downloads (authenticity is guaranteed via GPG signatures on the repository indices, which transitively protect the package/sources/.. indices, which transitively protect the individual package and other files downloaded).

the only benefit you get by using a TLS-enabled publicly available repository is a neglible amount of privacy (neglible since it's fairly trivial to correlate the amount of downloaded data with package indices/packages, since the data used for comparison is public). the only APT repos by proxmox available via TLS are the enterprise ones, and that is mainly because they require authentication of the PVE system to the repository server, which in turn requires an encrypted connection in order to not leak the credentials to any observer.

See https://wiki.debian.org/SecureApt for some background on how APT works.
I
This is not our business model, its just how our repos are organized.

Packages are secured with GPG signatures (not with "https"...)
please send GPG public key for more details
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!