Why no https for mirrorlist?

Comments, suggestions, compliments, etc
Post Reply
jghal
Posts: 3
Joined: 2020/10/27 16:05:27

Why no https for mirrorlist?

Post by jghal » 2020/10/27 16:12:01

We have Palo Alto firewalls, where the built-in application definition for DNF requires SSL, but the mirrorlist.centos.org and mirror.centos.org seem to be only available with http, not with https. I was wondering if there's any particular reason for that.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Why no https for mirrorlist?

Post by TrevorH » 2020/10/27 16:48:43

I would imagine that it's an issue that the CentOS mirror network is on donated hosts and controlled by the people that donate them. It would mean handing out the SSL certs for the centos.org to people that are non-CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jghal
Posts: 3
Joined: 2020/10/27 16:05:27

Re: Why no https for mirrorlist?

Post by jghal » 2020/10/27 18:00:51

Thanks Trevor. I'm not sure I follow though, don't Yum/DNF ask for a list of mirrors and then connect directly to them until one works? If you look at Fedora, their mirror list uses https, and then individual mirrors may or may not have https.

https://admin.fedoraproject.org/mirrorm ... /29/x86_64
https://mirrors.dotsrc.org/fedora-buffet/fedora/linux
https://pubmirror1.math.uh.edu/fedora-b ... dora/linux

And in fact, looking at the CentOS mirror list portal

https://www.centos.org/download/mirrors/

There are https-enabled mirrors in multiple locations/regions. Maybe 50 in the US alone.

So it seems like just enabling https on mirrorlist.centos.org and mirror.centos.org would do the trick.

jghal
Posts: 3
Joined: 2020/10/27 16:05:27

Re: Why no https for mirrorlist?

Post by jghal » 2020/10/27 21:54:51

Or maybe if there was a parameter to add to mirrorlist in the .repo files to only get back https-enabled mirrors. I've been able to get my firewall to allow http://mirrorlist.centos.org, but it seems stuck on selecting only http mirror sites.

Post Reply