Currently, the lxc templates are downloaded from
It was already reported that the domain has an invalid SSL certificate, which the Proxmox Staff pointed to not be a big concern as the Debian packages are signed.
However, the templates don't seem to be signed, yet their checksum is validated. Moreover, nowadays Debian allows HTTPS connections to the https://deb.debian.org/ repositories.
In any case, this represents data that is leaked to potential MITM attackers that could be easily avoided with a free Let's Encrypt certificate. Please review the decision of not fixing the certificate issue, as nowadays there are cost-effective automation options to handle it.
http://download.proxmox.com, which is also used as the domain for the Proxmox Debian repository.It was already reported that the domain has an invalid SSL certificate, which the Proxmox Staff pointed to not be a big concern as the Debian packages are signed.
However, the templates don't seem to be signed, yet their checksum is validated. Moreover, nowadays Debian allows HTTPS connections to the https://deb.debian.org/ repositories.
In any case, this represents data that is leaked to potential MITM attackers that could be easily avoided with a free Let's Encrypt certificate. Please review the decision of not fixing the certificate issue, as nowadays there are cost-effective automation options to handle it.
