Apt repo using HTTPS

Following on from my post on how to create your own SSL Certificate Authority, I’ve also started doing this for custom apt repos where we allow public repos over http and private repos over https (+ basic-auth).

    To do this, you effectively need 3(+1) things

  1. apt-transport-https package on the client
  2. Install your Root CA Certificate, so you can sign your own certificates and remove certificate errors OR check out letsencrypt.org OR you can buy a valid one from a proper CA and be done with it.
  3. Setup https in the web server.
  4. We use basic-auth over https, so a there’s a fourth step.

  5. configure basic auth in /etc/apt/sources.list.d/custom.list

I won’t cover the details on configuring Apache or creating an SSL Root CA or creating your own repo, I’ll assume you already have that figured out.

So here’s the condensed tasks.

  1. Create take your root CA cert and key
  2. Copy the cert to destination server (that is connecting to your repo). This is usually in /usr/share/ca-certificates/somename/my-root-ca.crt
  3. On the the client, update the CA list dpkg-reconfigure ca-certificates
  4. On the client, install apt-transport-https.
    apt-get install apt-transport-https
  5. In a apt sources list file (i prefer to use /etc/sources.list.d/.list), add the repo.
    deb https://your.reposerver.com/deb stable main or with basic-auth deb https://user:pass@your.reposerver.com/deb stable main

See it work with apt-get update