MAAS: How to disable cert verification under Package Repo?

jpjacquez · 1 April 2024 14:53

Hello,

We have a local mirror of Ubuntu archives and we are hosting it under HTTPS only.

Is there a way to configure MAAS → Settings → Package Repo to not verify server certificate?

In ordinary Ubuntu VM, we can pass the Acquire::https and set Verify-Peer and Verify-Host but under ephemeral images, i don’t find that option.

thanks,
Jewsco

r00ta · 1 April 2024 21:07

Hi,

From the top of my head, this can’t be achieved easily. In the deployed machines it’s easy, but for ephemeral images (meaning the commissioning and the image that is loaded to install the target OS) it’s more tricky.

When the ephemeral image boots it get a cloud-init preseed with the apt configuration like

#cloud-config
apt:
  preserve_sources_list: false
  proxy: whatever
  sources_list: 'deb http://archive.ubuntu.com/ubuntu $RELEASE universe main restricted
    multiverse

    # deb-src http://archive.ubuntu.com/ubuntu $RELEASE universe main restricted multiverse

    deb http://archive.ubuntu.com/ubuntu $RELEASE-updates universe main restricted
    multiverse

    # deb-src http://archive.ubuntu.com/ubuntu $RELEASE-updates universe main restricted
    multiverse

    deb http://archive.ubuntu.com/ubuntu $RELEASE-security universe main restricted
    multiverse

    # deb-src http://archive.ubuntu.com/ubuntu $RELEASE-security universe main restricted
    multiverse

    deb http://archive.ubuntu.com/ubuntu $RELEASE-backports universe main restricted
    multiverse

    # deb-src http://archive.ubuntu.com/ubuntu $RELEASE-backports universe main restricted
    multiverse

but MAAS doesn’t let you to customize it with all the options supported by cloud-init. However, up to my knowledge cloud-init does not have an option to ignore the certificates. It’s possible to set a custom ca certificate, but not to ignore it

jpjacquez · 2 April 2024 14:23

Hi @r00ta, thanks for responding, appreciate it.

Where do i set the custom ca certificate? I see a key option under Repo Packages but I think this is for GPG signature for individual packages, not for ca certificate.
Cloud init has an apt conf parameter(shown below) that can be passed to ignore cert verification but like you said, customization is not supported by MAAS so i’m not sure of this route.

#cloud-config
apt:
  preserve_sources_list: false
  proxy: whatever
  sources_list: 'deb http://archive.ubuntu.com/ubuntu $RELEASE universe main restricted
    multiverse

  conf: | # APT config
    Acquire::https {
         Verify-Peer "false";
         Verify-Host "false";
    }

r00ta · 2 April 2024 17:52

unfortunately there is no way to customize it atm, unless you patch the sources here https://github.com/canonical/maas/blob/aafd77c4a9939d0fb1c03f2b5bd80659a1ddce08/src/maasserver/compose_preseed.py#L161 . Feel free to open a feature request