From 0854e2c66051c7dae404fabacd515378b1875c5e Mon Sep 17 00:00:00 2001 From: jtimberman Date: Tue, 24 Feb 2015 10:46:02 -0700 Subject: [PATCH] Fixes #325, #318 - don't download cacert.pem This addresses both concerns of #318 and #325. We were downloading the SSL CA bundle over http because at the point in time when we wanted to even do that we might not have been in a state where the SSL certificates from curl.haxx.se could be verified. Using http is just as good at that point as using SSL without verification. However... This addresses the concern raised in #325, whereby the upstream cacert.pem removed certificates used by services such as AWS S3, causing SSL connections to those sites to fail to verify. We should rely on the ca-bundle.crt that comes with the openssl package on the platforms in question (centos/fedora). --- packer/http/centos-5.11/ks.cfg | 2 -- packer/http/centos-6.6/ks.cfg | 2 -- packer/http/centos-7.0/ks.cfg | 2 -- packer/http/fedora-20/ks.cfg | 2 -- packer/http/fedora-21/ks.cfg | 2 -- packer/scripts/fedora/ks.cfg | 2 -- 6 files changed, 12 deletions(-) diff --git a/packer/http/centos-5.11/ks.cfg b/packer/http/centos-5.11/ks.cfg index 90df3c584..c1c974fdb 100644 --- a/packer/http/centos-5.11/ks.cfg +++ b/packer/http/centos-5.11/ks.cfg @@ -69,8 +69,6 @@ yum -zd1211-firmware %post -# update root certs -wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # sudo echo "vagrant ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers diff --git a/packer/http/centos-6.6/ks.cfg b/packer/http/centos-6.6/ks.cfg index 13be8109b..d7215076d 100644 --- a/packer/http/centos-6.6/ks.cfg +++ b/packer/http/centos-6.6/ks.cfg @@ -64,8 +64,6 @@ nfs-utils %post # Force to set SELinux to a permissive mode sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config -# update root certs -wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # sudo echo "%vagrant ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/vagrant sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers diff --git a/packer/http/centos-7.0/ks.cfg b/packer/http/centos-7.0/ks.cfg index 55763e889..c5414695f 100644 --- a/packer/http/centos-7.0/ks.cfg +++ b/packer/http/centos-7.0/ks.cfg @@ -74,8 +74,6 @@ bzip2 %end %post -# update root certs -wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # sudo echo "%vagrant ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/vagrant sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers diff --git a/packer/http/fedora-20/ks.cfg b/packer/http/fedora-20/ks.cfg index 4e3db2946..2e3e13e55 100644 --- a/packer/http/fedora-20/ks.cfg +++ b/packer/http/fedora-20/ks.cfg @@ -39,8 +39,6 @@ net-tools %end %post -# update root certs -wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # sudo echo 'Defaults:vagrant !requiretty' > /etc/sudoers.d/vagrant echo '%vagrant ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/vagrant diff --git a/packer/http/fedora-21/ks.cfg b/packer/http/fedora-21/ks.cfg index 4e3db2946..2e3e13e55 100644 --- a/packer/http/fedora-21/ks.cfg +++ b/packer/http/fedora-21/ks.cfg @@ -39,8 +39,6 @@ net-tools %end %post -# update root certs -wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # sudo echo 'Defaults:vagrant !requiretty' > /etc/sudoers.d/vagrant echo '%vagrant ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/vagrant diff --git a/packer/scripts/fedora/ks.cfg b/packer/scripts/fedora/ks.cfg index aee62b7f3..3b631a377 100644 --- a/packer/scripts/fedora/ks.cfg +++ b/packer/scripts/fedora/ks.cfg @@ -38,8 +38,6 @@ nfs-utils %end %post -# update root certs -wget -O /etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem # vagrant groupadd vagrant useradd vagrant -g vagrant -G wheel -u 900