-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootstrap of Debian family broken in 2017.08.17 #1137
Comments
Confirming reverting salt-bootstrap to v2017.05.24 fixed the problem. |
It should work in Debian 8 "jessie", because there are old version of GnuPG which uses However, in GnuPG 2.1 (introduced in Debian 9 "stretch" and Ubuntu starting from 16.10 I believe) the key is going to be downloaded with Thanks for reporting, this definitely should be fixed and implemented reliably. @rallytime I'll try to get on this next week or so. |
Fix #1137: import GPG key through an HTTP(S) proxy
Finally had time to check this today with current develop HEAD:
It still fails to retrieve the key. Maybe it needs an explicit HTTPS proxy setting.
|
@vutny Do you mind swinging back around here when you have a moment? |
Testing again today, both stable & develop are still broken. Also, I cannot use stable as-is now as it does not know about 2017.7 which is the current release I use on my infra. |
Re-reading the PR, using -l is not acceptable as I don't want to get rid of SSL validations and making proxy transparent is not possible either as it comes with its own problems and this is not required by 100% of the rest of the infrastructure I manage. Can't we just go back to the old method as dirmngr is unlikely to be unbroken in the near future ? |
GnuPG2 does not support proxies using the CONNECT method which means only transparent proxies are supported for encrypted traffic or one must degrade security by disabling encryption during provisioning.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Description of Issue/Question
Setup
I run minions in a network with Internet access only available through an HTTP proxy.
After upgrading to 2017.08.17, boostrapping new minions fails due to changes introduced in commit 0e45ba1.
Logs
You can see apt-key timing out and later apt failing due to security warning.
Versions and Systems
The text was updated successfully, but these errors were encountered: