Allow insecure downloads

[scobow]

If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

Error: /Stage[main]/Oracle_java::Download/Archive[/usr/java/jdk-u131-linux-x64.tar.gz]/ensure: change from absent to present failed: Execution of '/bin/curl https://repo.ournamegoeshere.net/repo/ourname-repo//jdk-u131-linux-x64.tar.gz -o /tmp/jdk-u131-linux-x64.tar.gz_75b2cb2249710d822a60f83e2886005320170426-65466-1udkpl2 -fsSL --max-redirs 5 --cookie oraclelicense=accept-securebackup-cookie' returned 60: curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

I'm trying to test installing oracle from our own repository that we sync from oracles when they come out with a new java package because security won't permit internet access to the business application environments. We update this repository manually then deploy code from our own repository. Currently we are in testing and haven't setup the SSL certificate CA process but I don't want to hack in the -k because java is patched so often.

Thanks!

[scobow]

I missed the -k in the output, the issue actually seems to be the following when I run them manually. Its all the other stuff after the -k when you don't use oracle to download the package that causes the failure.

Failure run: /bin/curl https://repo.ournamegoehere.net/ourname/ourname-repo/jdk-u131-linux-x64.tar.gz -o /tmp/jdk-u131-linux-x64.tar.gz -k _75b2cb2249710d822a60f83e2886005320170426-71513-z9gdge -fsSL --max-redirs 5 --cookie oraclelicense=accept-securebackup-cookie
curl: (22) The requested URL returned error: 404 Not Found
curl: (6) Could not resolve host: _75b2cb2249710d822a60f83e2886005320170426-71513-z9gdge; Name or service not known
Successful run: /bin/curl https://repo.ournamegoeshere.net/ourname/ourname-repo/jdk-u131-linux-x64.tar.gz -o /tmp/jdk-u131-linux-x64.tar.gz -k 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   238  100   238    0     0   1557      0 --:--:-- --:--:-- --:--:--  1565

[antoineco]

Regarding the certificate that's a fair point. The puppet/archive module I'm using takes a Boolean parameter called allow_insecure which can be used for that purpose.

Ideally it should be possible to enable/disable insecure handshakes via a class parameter:

class { 'oracle_java':
  format         => 'tar.gz',
  download_url   => 'https://repo.ournamegoeshere.net/ourname/ourname-repo',
  filename       => 'jdk-u131-linux-x64.tar.gz',
  allow_insecure => true  # default: false
}

The parameter can be added here (main install.) and here (extra install.). Would you like to try it on your side and send a pull request?

---

I don't understand the second comment though, -k takes no parameter, so where is the "_75b2cb2249710d822a60f83e2886005320170426-71513-z9gdge" string coming from? The command you're looking for is simply:

curl -sSk https://repo.ournamegoeshere.net/repo/ourname-repo/jdk-u131-linux-x64.tar.gz

[scobow]

Wait, I got it, here's what I did.
In my wrapper class that I put around your module, I added the following code:

Archive {
  allow_insecure => 'true',
}

That's was it. So if you did add a boolean within your module then I wouldn't need the wrapper.

FYI I also added two files that we need which are the local_policy.jar and the US_export_policy.jar for stronger encryption placed in /usr/java/jdk*/jre/lib/security/

Now I'm going to use the jks module to add our CA to the store so I don't need the insecure -k flag.

By the way, I had a bug in my wrapper, I had a mistype in my global variable for majorversion, I just flat out spelled it wrong. Sorry about that, once I did that your class worked as you indicated and the extra java information was not added per your installation.pp code:

  # define download URL
  if !$download_url {
    $download_url_real = "http://download.oracle.com/otn-pub/java/jdk/${version_final}${build_real}${urlcode_real}"
  } else {
    $download_url_real = $download_url
  }

Thanks