[Bug 1217741] [NEW] apt will not use configured client certificate when redirected from http url to https

[Esko Järnfors]

Public bug reported:

We have a web server that has our internal package repository. The
server is configured so that it will communicate via port 80 with
clients in internal network, which basically makes it possible for the
clients to get packages during OS installation when they do not yet have
a client certificate. The clients outside our network are redirected
with a HTTP 302 to the same url with https transport and the https
server requires the client to authenticate with a client certificate. We
have configured apt like this (obviously with real paths and server
name):

/etc/apt/apt.conf.d/45our-server:
-------
Acquire::https::our-server.our-domain {
  Verify-Peer "true";
  Verify-Host "true";

  CaInfo "/path/to/ca/cert.pem";
  SslCert "/path/to/client/cert.pem";
  SslKey "/path/to/client/key.pem";
};
-------

As long as the repository is marked as https://... in
/etc/apt/sources.list, these settings are used and everything works
right. However, if the repository is marked as http://, and the client
is redirected with HTTP 302 to https:// url, the client certificate is
not presented properly and downloading files fails.

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1217741

Title:
  apt will not use configured client certificate when redirected from
  http url to https

Status in “apt” package in Ubuntu:
  New

Bug description:
  We have a web server that has our internal package repository. The
  server is configured so that it will communicate via port 80 with
  clients in internal network, which basically makes it possible for the
  clients to get packages during OS installation when they do not yet
  have a client certificate. The clients outside our network are
  redirected with a HTTP 302 to the same url with https transport and
  the https server requires the client to authenticate with a client
  certificate. We have configured apt like this (obviously with real
  paths and server name):

  /etc/apt/apt.conf.d/45our-server:
  -------
  Acquire::https::our-server.our-domain {
    Verify-Peer "true";
    Verify-Host "true";

    CaInfo "/path/to/ca/cert.pem";
    SslCert "/path/to/client/cert.pem";
    SslKey "/path/to/client/key.pem";
  };
  -------

  As long as the repository is marked as https://... in
  /etc/apt/sources.list, these settings are used and everything works
  right. However, if the repository is marked as http://, and the client
  is redirected with HTTP 302 to https:// url, the client certificate is
  not presented properly and downloading files fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1217741/+subscriptions