Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI Issues #353

Closed
MattSurabian opened this issue Sep 8, 2016 · 7 comments
Closed

SNI Issues #353

MattSurabian opened this issue Sep 8, 2016 · 7 comments

Comments

@MattSurabian
Copy link

Hi there, while provisioning a box recently my colleague @tkellen and I ran into a frustrating problem where the server hosting nodesource's GPG key was requiring SNI support but the machine being provisioned did not have a version of python on it that supported SNI.

In the end we retrieved the key out of band and used Ansible to copy it from our local machine onto the box and everything was fine. This seemed a lower risk option than upgrading python.

I'm curious if using SNI is really necessary or if it's simply a side effect of yall using a service like cloudflare ssl which uses SNI under the hood. Anyway, wanted to point out that this could be a road block for folks trying to upgrade Node from nodesource on older systems.
@chrislea
Copy link
Contributor

chrislea commented Sep 8, 2016

Yes, we're aware. We've just switched our hosting of these repositories to be backed by CloudFront. We did this because the load on the servers was getting to the point where it was making the repositories go unresponsive at times, often right after a new release, based on the load. So we needed to move to some kind of CDN solution. In general:

  1. We (NodeSource) think traffic should be encrypted whenever it's feasible to do so.
  2. We can either not use a CDN for our repos, which causes things to become unavailable under load, or we can use a CDN that will require SNI to work with HTTPS.
  3. Either of the options in Install apt-transport-https on debian systems #2 is not ideal because both will have negative effects on some subset of users, but we think the second option is better overall.

Unfortunately the costs associated with using a HTTPS enabled CDN without using SNI are prohibitive for us.

@chrislea chrislea closed this as completed Sep 8, 2016
This was referenced Sep 8, 2016
Closed
Closed
Closed
Closed
@chrislea chrislea mentioned this issue Sep 20, 2016
Closed
@hyperized hyperized mentioned this issue Oct 4, 2016
Closed
@hyperized
Copy link

@chrislea do you realise that this choice is actually breaking (for example) current, supported and up-to-date OSs like Ubuntu 14.04?

@mweagle
Copy link

mweagle commented Oct 4, 2016

Hello @hyperized,
We are aware that this may be a breaking change to some workflows. However, the overall increase in availability and improved security is a net positive. There are several referred options for clients experiencing instability due to this change.

tkellen pushed a commit to bocoup/deployment-workflow that referenced this issue Nov 3, 2016
fix key retrieval issue with SNI
72defed 
for more details see:
nodesource/distributions#353
@mpdude
Copy link

mpdude commented Nov 16, 2016
edited
Loading

Any hints regarding workarounds for systems like Ubuntu 14.04?

If I am not mistaken, an out-of-the-box apt is not able to connect to the deb.nodesource.com repo if it requires SNI, right?

@mpdude
Copy link

mpdude commented Nov 16, 2016

Also see #388

@tkellen
Copy link

tkellen commented Nov 16, 2016
edited
Loading

@mpdude, this should work:

wget -qO - https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

@mpdude
Copy link

mpdude commented Nov 16, 2016

@tkellen I think this works to fetch the key, but later on apt still has issues connecting to the repo. See #388.

Wynndow pushed a commit to Crown-Commercial-Service/digitalmarketplace-jenkins that referenced this issue Jun 8, 2017
@TheDoubleK
Add nodesource GPG key to repo
391fac1 
Nodesource has recently changed to distribution via CloudFront which requires SNI (see nodesource/distributions#353 (comment)), which looks like it causes issues because the full URL (https://deb.nodesource.com/gpgkey/nodesource.gpg.key) has a valid certificate, but the root URL now redirects to GitHub (https://deb.nodesource.com)

It looks like Ansible does certificate validation of the root URL, not the full path, and is detecting a problem with the hostname change.

This PR removes the download of the key from github, and instaed adds the GPG key for nodesource explicitly in a file, as suggested here: nodesource/ansible-nodejs-role#33 (comment)
@dbkr dbkr mentioned this issue Mar 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@chrislea @mweagle @hyperized @tkellen @MattSurabian @mpdude