[chef] Re: Supermarket cookbook URL not using TLS

[Nathan L Smith < >]

I think those URLs are using the Rails URL helpers in https://github.com/chef/supermarket/blob/master/app/views/api/v1/cookbook_versions/_cookbook_version.json.jbuilder

What does it do if ENV['PROTOCOL'] is set to https?

Also, this is the Chef mailing list and you might get a better response on the Supermarket Google group: https://groups.google.com/forum/#!forum/chef-supermarket

On Mon, Mar 2, 2015 at 5:44 PM, Daniel Klopp < " target="_blank"> > wrote:

I've used the Chef Supermarket cookbook from https://github.com/opscode-cookbooks/supermarket to deploy a private Supermarket.  By default Supermarket seems to store cookbook references with a standard HTTP URI, but TLS is already configured on the private Supermarket with a proper cert.  For example, the URI: https://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/ returns

{"license":"All Rights Reserved","tarball_file_size":349297,"version":"0.1.3","average_rating":null,"cookbook":"http://UNDISCLOSED/api/v1/cookbooks/my-keepalived","file":"http://UNDISCLOSED/api/v1/cookbooks/my-keepalived/versions/0.1.3/download","dependencies":{"python":">= 0.0.0","ark":">= 0.0.0","shared_ip":">= 0.0.0","keepalived":">= 0.0.0"}}

It gives a reference to HTTP instead of HTTPS from within an HTTPS context.  This causes security errors with Berk's libraries.

Is there a simple configuration option I am missing to store the cookbooks under an HTTPS URI?

-Dan

This communication is Confidential Information. By using this message and attachments you implicitly consent to terms and conditions set forth at http://www.taos.com/email_disclaimer. If you do not consent or received this message in error, please destroy it.

--

Nathan L Smith

" target="_blank">smith@chef.io

(319) 339-0466