Skip to main content

Ubuntu 20.04 apt HTTPS upgrade

Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as CVE-2019-3462, CVE-2016-1252 and CVE-2014-6273 in the past.

This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.

Virtual Machine

AWS User Data / GCP Startup Script

#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list

The command simply replaces Ubuntu's default mirrors (which only serve HTTP) with a known, reliable CDN, making a backup file (with extension .orig) in the process.

Container

Dockerfile

FROM ubuntu:20.04

RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list && \
apt-get update && \
apt-get install --assume-yes ca-certificates && \
rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf

These commands first turn off SSL certificate verification because (a) the container build process may be behind DiscrimiNAT already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. DiscrimiNAT independently verifies each connection and will ensure apt connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.

Allowlist

FQDNs

mirrors.edge.kernel.org

DiscrimiNAT Annotation

discriminat:tls:mirrors.edge.kernel.org

Alternative Mirrors

Although mirrors.edge.kernel.org is a CDN with geo-located caches, you may want to pick a specific https mirror from Ubuntu's official mirrors list.