apt or apt-get is widely used as the package manager in Debian Linux and its downstream Linux distribution, such as Ubuntu. There are a lot configuration parameters. In this post, I will mainly describe two of them.
1. Acquire::https::Verify-Peer
Due to security consideration or network restriction, a company usually maintains an apt repository mirroring an official Linux apt repository. This internal apt repository usually is managed by some artifact management software, for example, Nexus or JFrog. Most of the time, the internal apt repository is served by an https server, which sometimes signed by an company internal certificate authority that are usually not trusted by the Debian or Ubuntu Linux by default. You know you are in an intranet environment and the internal apt repository is a trusted server. Then you can use ‘Acquire::https::Verify-Peer’ parameter to skip the certificate verification. Without this, installing packages from this internal apt repository will fail due to certificate verification failure. Take the below failure message for example:
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.
You can use the below configuration to skip all host certificate verification in the configuration file /etc/apt/apt.conf.d/99-verify.conf
Acquire::https::Verify-Peer “false”;
Create the configuration file if it does not exist. Or you can use another configuration to only skip the certificate verification for a specific hostname, but continue to verify certificates for other hosts.
Acquire::https:<apt-repository-host-name>::Verify-Peer “false”;
Note: replace the above <apt-repository-host-name> with you specific hostname.
the manual page for apt-transport-https implies that the hostname should follow Verify-Peer section. Take the below for example.
Acquire::https::Verify-Peer::broken.example.org “false”;
However, when I used this format, it doesn’t work. Only after I move the hostname before Verify-Peer section, it works. The document is not up-to-date? I am not sure about that. Some post in the internet also use hostname before Verify-Peer. Take the below link for reference
https://manpages.ubuntu.com/manpages/bionic/man1/apt-transport-https.1.html
https://github.com/anbangr/trusted-apt/blob/master/doc/examples/apt-https-method-example.conf
2. Acquire::https::Proxy
Usually your server is in an intranet environment. The server can not directly access the internet. If company IT does not provide an internal apt repository, but an https proxy server, the ‘Acquire::https::Proxy’ parameter can be used to configure apt to install packages from official Linux apt repositories. The below configuration can be used in the configuration file /etc/apt/apt.conf.d/98-proxy.conf
Acquire::https::Proxy “http://proxy-server-host-or-ip:proxy-port”;
Note: replace ‘proxy-server-host-or-ip’ and ‘proxy-port’ with your specific values.
You can also set http proxy for apt as below:
Acquire::http::Proxy “http://proxy-server-host-or-ip:proxy-port”;
The above configuration will cause apt to use proxy for all http or https communication. If you don’t want to use proxy for any host, please use the below configuration:
Acquire::http::Proxy::<intranet-server-hostname> “http://proxy-server-host-or-ip:proxy-port”;
Note: please replace ‘<intranet-server-hostname>’ with a specific hostname.
In fact, this proxy parameter can also be configuration as environment variables in Linux as http_proxy, https_proxy, no_proxy. These environment variable are also respected by some other tools in Linux.