# Ubuntu 18.04 apt HTTPS upgrade

> Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as [CVE-2019-3462](https://security-tracker.debian.org/tracker/CVE-2019-3462), [CVE-2016-1252](https://security-tracker.debian.org/tracker/CVE-2016-1252) and [CVE-2014-6273](https://security-tracker.debian.org/tracker/CVE-2014-6273) in the past.

Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as [CVE-2019-3462](https://security-tracker.debian.org/tracker/CVE-2019-3462), [CVE-2016-1252](https://security-tracker.debian.org/tracker/CVE-2016-1252) and [CVE-2014-6273](https://security-tracker.debian.org/tracker/CVE-2014-6273) in the past.

This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.

## Virtual Machine

### AWS User Data / GCP Startup Script

```bash
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list
```

The command simply replaces Ubuntu's default mirrors (which only serve HTTP) with a known, reliable CDN, making a backup file (with extension _.orig_) in the process.

## Container

### Dockerfile

```Dockerfile
FROM ubuntu:18.04

RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
    sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list && \
    apt-get update && \
    apt-get install --assume-yes ca-certificates && \
    rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf
```

These commands first turn off SSL certificate verification because (a) the container build process may be behind [DiscrimiNAT](/discriminat/) already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. [DiscrimiNAT](/discriminat/) independently verifies each connection and will ensure _apt_ connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.

## Allowlist

### FQDNs

```
mirrors.edge.kernel.org
```

### DiscrimiNAT Annotation

```
discriminat:tls:mirrors.edge.kernel.org
```

### Alternative Mirrors

Although `mirrors.edge.kernel.org` is a CDN with geo-located caches, you may want to pick a specific `https` mirror from Ubuntu's [official mirrors list](https://launchpad.net/ubuntu/+archivemirrors).