How can i force apt-get or apt to use only https connections

Question

I am running a mongo db docker container on a network using only https. The container uses apt-get for installing packages. Since network allows only https connections,apt-get is not working for me. I have tried to change http with https in /etc/apt/sources.list and /etc/apt/sources.list.d after installing apt-transport-https. But nothing worked for me. Here is my /etc/apt/sources.list after replacing https with https

deb https://deb.debian.org/debian jessie main
deb https://security.debian.org/debian-security jessie/updates main
deb https://deb.debian.org/debian jessie-updates main

The mongodb-org.list file in /etc/apt/sources.list.d looks like

deb https://repo.mongodb.org/apt/debian jessie/mongodb-org/3.2 main

after doing all this apt-get update shows

Get:1 https://repo.mongodb.org jessie/mongodb-org/3.2 InRelease [384 B]
Ign https://repo.mongodb.org jessie/mongodb-org/3.2 InRelease
Get:2 https://repo.mongodb.org jessie/mongodb-org/3.2 Release.gpg [801 B]
Hit https://repo.mongodb.org jessie/mongodb-org/3.2 Release
Get:3 https://deb.debian.org jessie InRelease [309 B]
Ign https://deb.debian.org jessie InRelease
Hit https://deb.debian.org jessie-updates InRelease
Ign https://security.debian.org jessie/updates InRelease
Ign https://repo.mongodb.org jessie/mongodb-org/3.2 Release
Get:4 https://repo.mongodb.org jessie/mongodb-org/3.2/main amd64 Packages [10.6 kB]
Hit https://deb.debian.org jessie Release.gpg
Ign https://security.debian.org jessie/updates Release.gpg
Ign https://security.debian.org jessie/updates Release
Get:5 https://deb.debian.org jessie-updates/main amd64 Packages [337 B]
Err https://security.debian.org jessie/updates/main amd64 Packages

Hit https://deb.debian.org jessie Release
Err https://security.debian.org jessie/updates/main amd64 Packages

Err https://security.debian.org jessie/updates/main amd64 Packages

Get:6 https://deb.debian.org jessie/main amd64 Packages [329 B]
Err https://security.debian.org jessie/updates/main amd64 Packages

Err https://security.debian.org jessie/updates/main amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Fetched 9110 kB in 8s (1096 kB/s)
W: GPG error: https://repo.mongodb.org jessie/mongodb-org/3.2 Release: The following signatures were invalid: KEYEXPIRED 1570654450
W: Size of file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz is not what the server reported 20 337
W: Failed to fetch https://security.debian.org/debian-security/dists/jessie/updates/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.

This is an interesting find. It appears that security.debian.org presents an SSL certificate for schmelzer.debian.org. This is failing for good reason! — Philip Couling, Nov 19 '19 at 12:30

GAD3R · Accepted Answer · 2019-11-20T08:12:27.957

4

The security updates can't be retrieved from https connection , explained on debian

The security.debian.org hosts currently do not have publicly verifiable SSL certificates on HTTPS and hence cannot be used with HTTPS at the moment.

Your can edit your /etc/apt/sources.list as follow:

deb https://deb.debian.org/debian jessie main
deb http://security.debian.org/debian-security jessie/updates main
deb https://deb.debian.org/debian jessie-updates main

To solve the gpg key error for MongoDB , you should update the gpg key, see Import the public key used by the package management system:

wget -qO - https://www.mongodb.org/static/pgp/server-3.2.asc | sudo apt-key add -

edited Nov 20 '19 at 08:12

answered Nov 19 '19 at 18:49

GAD3R

66,769

1

can i remove security.debian.org and use HTTPS version for others ? any issue because of that ? – Pratheesh Nov 20 '19 at 04:27
@xaglez The issue is you can't receive the security updates. It is strongly recommended to keep the security repository in your sources. – GAD3R Nov 20 '19 at 08:16
1

The issue is my network only allows HTTPS connections and blocks all incoming and outgoing HTTP connections .So if we keep security repository ,which only have HTTP mirror i will not be able to do apt operations – Pratheesh Nov 20 '19 at 08:43

score 0 · Answer 2 · edited Sep 28 '21 at 07:53

0

If you are using Debian, update your /etc/apt/sources.list entries to point to the official https mirror redirector:

deb https://deb.debian.org/debian/ <dist> <suite>
deb-src https://deb.debian.org/debian/ <dist> <suite>

e.g. for Debian unstable:

deb https://deb.debian.org/debian/ unstable main
deb-src https://deb.debian.org/debian/ unstable main

You can refer these for more-

Uasigned bug

edited Sep 28 '21 at 07:53

Hazim

103

answered Nov 19 '19 at 11:44

champion-runner

915

deb https://deb.debian.org/debian jessie main deb https://security.debian.org/debian-security jessie/updates main deb https://deb.debian.org/debian jessie-updates main i have changed my source.list like this .But im not able to use apt-get or apt for installing packages – Pratheesh Nov 19 '19 at 12:56

How can i force apt-get or apt to use only https connections

2 Answers2

Linked