Supermarket cookbook URL not using TLS


#1

I’ve used the Chef Supermarket cookbook from https://github.com/opscode-cookbooks/supermarket to deploy a private Supermarket. By default Supermarket seems to store cookbook references with a standard HTTP URI, but TLS is already configured on the private Supermarket with a proper cert. For example, the URI: https://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/ returns

{“license”:“All Rights Reserved”,“tarball_file_size”:349297,“version”:“0.1.3”,“average_rating”:null,“cookbook”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived",“file”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/download”,“dependencies”:{“python”:">= 0.0.0”,“ark”:">= 0.0.0",“shared_ip”:">= 0.0.0",“keepalived”:">= 0.0.0"}}

It gives a reference to HTTP instead of HTTPS from within an HTTPS context. This causes security errors with Berk’s libraries.

Is there a simple configuration option I am missing to store the cookbooks under an HTTPS URI?

-Dan

This communication is Confidential Information. By using this message and attachments you implicitly consent to terms and conditions set forth at http://www.taos.com/email_disclaimer. If you do not consent or received this message in error, please destroy it.


#2

I noticed this the other day and haven’t had time to file an issue, but just fired this off:
https://github.com/chef/supermarket/issues/994

In the meantime I’m using a copy of the nginx template with the two lines corrected.

Chris Crebolder | Network Services Specialist | University of Toronto Libraries | Information Technology Services


From: Daniel Klopp [dklopp@taos.com]
Sent: Monday, March 02, 2015 6:44 PM
To: chef@lists.opscode.com
Subject: [chef] Supermarket cookbook URL not using TLS

I’ve used the Chef Supermarket cookbook from https://github.com/opscode-cookbooks/supermarket to deploy a private Supermarket. By default Supermarket seems to store cookbook references with a standard HTTP URI, but TLS is already configured on the private Supermarket with a proper cert. For example, the URI: https://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/ returns

{“license”:“All Rights Reserved”,“tarball_file_size”:349297,“version”:“0.1.3”,“average_rating”:null,“cookbook”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived",“file”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/download”,“dependencies”:{“python”:">= 0.0.0”,“ark”:">= 0.0.0",“shared_ip”:">= 0.0.0",“keepalived”:">= 0.0.0"}}

It gives a reference to HTTP instead of HTTPS from within an HTTPS context. This causes security errors with Berk’s libraries.

Is there a simple configuration option I am missing to store the cookbooks under an HTTPS URI?

-Dan

This communication is Confidential Information. By using this message and attachments you implicitly consent to terms and conditions set forth at http://www.taos.com/email_disclaimer. If you do not consent or received this message in error, please destroy it.


#3

I think those URLs are using the Rails URL helpers in


/blob/master/app/views/api/v1/cookbook_versions/_cookbook_version.json.jbuilder

What does it do if ENV[‘PROTOCOL’] is set to https?

Also, this is the Chef mailing list and you might get a better response on
the Supermarket Google group:
https://groups.google.com/forum/#!forum/chef-supermarket

On Mon, Mar 2, 2015 at 5:44 PM, Daniel Klopp dklopp@taos.com wrote:

I’ve used the Chef Supermarket cookbook from
https://github.com/opscode-cookbooks/supermarket to deploy a private
Supermarket. By default Supermarket seems to store cookbook references
with a standard HTTP URI, but TLS is already configured on the private
Supermarket with a proper cert. For example, the URI:
https://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/ returns

{“license”:“All Rights Reserved”,“tarball_file_size”:349297,“version”:“0.1.3”,“average_rating”:null,“cookbook”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived",“file”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/download”,“dependencies”:{“python”:">= 0.0.0”,“ark”:">= 0.0.0",“shared_ip”:">= 0.0.0",“keepalived”:">= 0.0.0"}}

It gives a reference to HTTP instead of HTTPS from within an HTTPS
context. This causes security errors with Berk’s libraries.

Is there a simple configuration option I am missing to store the cookbooks
under an HTTPS URI?

-Dan

This communication is Confidential Information. By using this message and
attachments you implicitly consent to terms and conditions set forth at
http://www.taos.com/email_disclaimer. If you do not consent or received
this message in error, please destroy it.


Nathan L Smith
smith@chef.io
(319) 339-0466


#4

the env PROTOCOL is set to https. I’ll contact that list, thank you.

-Dan


From: Nathan L Smith [smith@chef.io]
Sent: Wednesday, March 04, 2015 12:07 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Supermarket cookbook URL not using TLS

I think those URLs are using the Rails URL helpers in https://github.com/chef/supermarket/blob/master/app/views/api/v1/cookbook_versions/_cookbook_version.json.jbuilder

What does it do if ENV[‘PROTOCOL’] is set to https?

Also, this is the Chef mailing list and you might get a better response on the Supermarket Google group: https://groups.google.com/forum/#!forum/chef-supermarket

On Mon, Mar 2, 2015 at 5:44 PM, Daniel Klopp <dklopp@taos.commailto:dklopp@taos.com> wrote:
I’ve used the Chef Supermarket cookbook from https://github.com/opscode-cookbooks/supermarket to deploy a private Supermarket. By default Supermarket seems to store cookbook references with a standard HTTP URI, but TLS is already configured on the private Supermarket with a proper cert. For example, the URI: https://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/ returns

{“license”:“All Rights Reserved”,“tarball_file_size”:349297,“version”:“0.1.3”,“average_rating”:null,“cookbook”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived",“file”:“http://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/download”,“dependencies”:{“python”:">= 0.0.0”,“ark”:">= 0.0.0",“shared_ip”:">= 0.0.0",“keepalived”:">= 0.0.0"}}

It gives a reference to HTTP instead of HTTPS from within an HTTPS context. This causes security errors with Berk’s libraries.

Is there a simple configuration option I am missing to store the cookbooks under an HTTPS URI?

-Dan

This communication is Confidential Information. By using this message and attachments you implicitly consent to terms and conditions set forth at http://www.taos.com/email_disclaimer. If you do not consent or received this message in error, please destroy it.


Nathan L Smith
smith@chef.iomailto:smith@chef.io
(319) 339-0466