New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsigned Repositories for 2.x Versions #1637

Open
lcalvarez opened this Issue Oct 13, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@lcalvarez

lcalvarez commented Oct 13, 2018

Bug report

OS
Ubuntu18.04/Bionic

Wazuh version
2.1.1

Install type
agent

Install method
packages

Log sample

TASK [wazuh-agent : Debian/Ubuntu | Installing repository] *****************************************************************************
fatal: [172.16.255.186]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Connection to 172.16.255.186 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7rzsFp/ansible_module_apt_repository.py\", line 565, in <module>\r\n    main()\r\n  File \"/tmp/ansible_7rzsFp/ansible_module_apt_repository.py\", line 553, in main\r\n    cache.update()\r\n  File \"/usr/lib/python2.7/dist-packages/apt/cache.py\", line 543, in update\r\n    raise FetchFailedException(e)\r\napt.cache.FetchFailedException: E:Failed to fetch https://packages.wazuh.com/apt/dists/xenial/InRelease  403  Forbidden [IP: <redacted>], E:The repository 'https://packages.wazuh.com/apt xenial InRelease' is no longer signed.\r\n", "msg": "MODULE FAILURE", "rc": 0}

Bug description

I am running an ansible command with the following parameters to generate a repository file in /etc/apt/sources.list.d:

apt_repository:
    repo: "deb https://packages.wazuh.com/apt xenial main"
    state: present

I am following the instructions in the 2.1 docs to install the wazuh agent and have already installed the key in the proper location, as well.

I am also able to bypass this using an option to not validate certificates but that is a vulnerability that we would like to not expose ourselves to.

Shouldn't these repositories continue to stay signed if there may be users of them?

@mojojoseph

This comment has been minimized.

mojojoseph commented Oct 16, 2018

Howdy @lcalvarez I can confirm as well running into this problem on 18.04 with Wazuh 2.1.1:

Err:8 https://packages.wazuh.com/apt xenial InRelease
  403  Forbidden [IP: 52.84.33.102 443]
Reading package lists... Done
E: Failed to fetch https://packages.wazuh.com/apt/dists/xenial/InRelease  403  Forbidden [IP: 52.84.33.102 443]
E: The repository 'https://packages.wazuh.com/apt xenial InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

How were you able to bypass this? I agree with your sentiment; it should be fixed at the repository level, but at the moment this is busting all of my playbooks on 18.04 servers so I'm willing to use a workaround in the short term. Thanks for any insight.

@lcalvarez

This comment has been minimized.

lcalvarez commented Oct 16, 2018

@mojojoseph I was able to use this:

- name: Debian/Ubuntu | Installing wazuh repository
  lineinfile:
    create: yes
    path: /etc/apt/sources.list.d/packages_wazuh_com_apt.list
    line: "deb [trusted=true] https://packages.wazuh.com/apt xenial main"

You can also get it to work using apt_repository with validate_certs: no on the above task but not everyone will want that option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment