get gpg key through trusted https

A

aurelagep

New Member
Sep 24, 2019
5
0
1
34
Hi,

Currently we cannot retrieve the gpg keys through trused https connection. It's an untrusted certificate.
Could you please improve this or give a way to safely get a GPG key ?

$ export LC_ALL=C ; wget https://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg
--2019-09-24 15:53:24-- https://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving download.proxmox.com (download.proxmox.com)... 212.224.123.70, 2a01:7e0:0:424::249
Connecting to download.proxmox.com (download.proxmox.com)|212.224.123.70|:443... connected.
The certificate's owner does not match hostname 'download.proxmox.com'


Thanks
Regards,Aurelien
 
Use the --no-check-certificate argument to 'wget':
Code: 
wget --no-check-certificate https://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg

EDIT: The above will NOT work anyway as the HTTPS redirect currently does not have the key files
 
Last edited:
Hi,
The problem is that it's a workaround, the certificate should trusted otherwise it break the chain of trust ?
 
I understand and agree it would be better if they added a SAN to their server certificate for download.proxmox.com or a wildcard SAN with respect to automatically accepting the certificate. However, you have manually verified that you are connecting to the correct server and therefore trust the certificate enterprise.proxmox.com, so you can use the "workaround" for the application until the certificate is corrected.

EDIT:

However, I just checked and the HTTPS redirects to a DIFFERENT server/location. Thus, it appears currently the only way to retrieve the key is VIA HTTP -- not HTTPS (regardless of certificate SAN).

Code: 
wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg

Perhaps a Proxmox admin will see this thread and add the key files to the secure location as well.
 
Last edited:
Thank you for your feedback, I didn't spot the redirection.
I think it's wise to push this to an admin in order increase the security concern.
Indeed the documentation only use http
 
Hi all,
We are still following this thread with my team to implement this in our ansible playbook ;)
I think other people are interested by this thread
Have a good day
 
Hi Fabian,
Thanks for your fast reply !
Interesting way to go. Let me implement something and I'll come back to you
Cheers,
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back