Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as CVE-2019-3462, CVE-2016-1252 and CVE-2014-6273 in the past.
This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.
AWS User Data / GCP Startup Script
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list
The command simply replaces Ubuntu's default mirrors (which only serve HTTP) with a known, reliable CDN, making a backup file (with extension .orig) in the process.
RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
sed --in-place=.orig --regexp-extended 's%http://(.*archive|security).ubuntu.com%https://mirrors.edge.kernel.org%g' /etc/apt/sources.list && \
apt-get update && \
apt-get install --assume-yes ca-certificates && \
These commands first turn off SSL certificate verification because (a) the container build process may be behind DiscrimiNAT already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. DiscrimiNAT independently verifies each connection and will ensure apt connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.
mirrors.edge.kernel.org is a CDN with geo-located caches, you may want to pick a specific
https mirror from Ubuntu's official mirrors list.