Ubuntu 20.04 apt HTTPS upgrade
Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as CVE-2019-3462, CVE-2016-1252 and CVE-2014-6273 in the past.
This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.
Virtual Machine
AWS User Data / GCP Startup Script
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list
The command simply replaces Ubuntu's default mirrors (which only serve HTTP) with a known, reliable CDN, making a backup file (with extension .orig) in the process.
Container
Dockerfile
FROM ubuntu:20.04
RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list && \
apt-get update && \
apt-get install --assume-yes ca-certificates && \
rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf
These commands first turn off SSL certificate verification because (a) the container build process may be behind DiscrimiNAT already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. DiscrimiNAT independently verifies each connection and will ensure apt connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.
Allowlist
FQDNs
mirrors.edge.kernel.org
DiscrimiNAT Annotation
discriminat:tls:mirrors.edge.kernel.org
Alternative Mirrors
Although mirrors.edge.kernel.org
is a CDN with geo-located caches, you may want to pick a specific https
mirror from Ubuntu's official mirrors list.