HTTPS Apt repo

[josephholsten]

on systems using apt, the current default (manifests/repo/apt.pp:23 is 'http://repositories.sensuapp.org/apt'

Current docs recommend https://sensu.global.ssl.fastly.net/apt

Per #519, we know that sensu.global.ssl.fastly.net and repositories.sensuapp.org are the same, the provided TLS cert is only valid for hosts present in the a.ssl.fastly.net SAN cert.

An ideal solution would be to get fastly to add the subject to their cert (they have done this for other open source projects).

A not-terrible alternative would be switch the default to the fastly one so we can have TLS.

[jaxxstorm]

Yeah let's just switch it to the https repo, happy to accept a PR for that

[cwjohnston]

We recently repointed repositories.sensuapp.org at a new CDN map, see this blog post for more details.

The new CDN map presents a certificate with repositories.sensuapp.org as an entry in the subjectAltName extension, but we are not recommending using https://repositories.sensuapp.org be used across the board because:

• not all package management tools support SNI
• not all distributions have a version of openssl which can successfully negotiate secure connections with this CDN, which requires TLS 1.2.

[ghoneycutt]

Fixed in v2.8.0