I had discovered something funny today. So, I have Kali Linux and I am trying to fully update the system using the repo http://http.kali.org/kali. All is good and well until I get 403 denied for backdoor-factory and mimikatz. At first I thought it was a server configuration error and so ignored it, but then I got curious and decided to pop the URLs into Firefox. Sure enough, my university blocks these specific URLs, but not anything else in the repo.
I decided to check out if I could load the URLs in https (yes, I knew it was a long shot as most (afaik) APT servers don’t even support https at all) and found out it does work, but only when accepting the certificate for archive-8.kali.org. (yes, I know invalid certs aren’t good, but I figured if it is using GPG to check the validity and it uses http with no encryption anyway, then why not).
Also, I know I can just use https://archive-8.kali.org/kali in place of the old url and have done so, but the reason I asked about accepting invalid certs is for if this solution of just switching domains is impossible.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You can configure certain parameters for the HTTPS transport in /etc/apt/apt.conf.d/ — see man apt.conf (section “THE ACQUIRE GROUP”, subsection “https”) for details.
There is also a helpful example over at the trusted-apt project.
For example, you can disable certificate checking completely:
// Do not verify peer certificate Acquire::https::Verify-Peer "false"; // Do not verify that certificate name matches server name Acquire::https::Verify-Host "false";
… or just for a specific host:
Acquire::https::repo.domain.tld::Verify-Peer "false"; Acquire::https::repo.domain.tld::Verify-Host "false";
These options should be placed in a newly created file in /etc/apt/apt.conf.d/ so they won’t interfere with options installed by official packages (which will create separate files of their own).
The filename determines the order in which the option files are parsed, so you’ll probably want to choose a rather high number to have your options parsed after the ones installed by other packages. Try 80ssl-exceptions, for example.
Method 2
For a temporary solution you can do:
apt -o "Acquire::https::Verify-Peer=false" update apt -o "Acquire::https::Verify-Peer=false" install curl
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0