0

I'm setting up a website on a Centos7 VPS with certbot and let's encrypt.

I am no expert on network security. I checked to see if my epel-release was pulling certbot from a legit mirror. I ran yum search epel-release three times back-to-back and got 2 different answers: one epel-release mirror pointing to cloudfront.net and the other to constant.com.

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.vcu.edu
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirrors.wcupa.edu
 * updates: mirror.vcu.edu
=================================================================== N/S matched: epel-release ===================================================================
epel-release.noarch : Extra Packages for Enterprise Linux repository configuration

  Name and summary matches only, use "search all" for everything.

=================================================================================

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.vcu.edu
 * epel: epel.mirror.constant.com
 * extras: mirrors.wcupa.edu
 * updates: mirror.vcu.edu

The constant.com mirror seems to be on the list of fedora mirrors. However, I could not find the cloudfront.net mirror on there. I saw online a few comments abount cloudfront.net being linked to virus/malware/adware, etc..

Before I realized any of this, I had already done my install of certbot using the cloudfront.net mirror. During installation, I never got any questions about a GPG key.

  1. Has my system been compromised?

  2. Is there anyway I can check that I got the right certbot installation? How can I check this after installation of certbot?

myke
  • 13
  • 2
  • Amazon's CloudFront is a CDN, so anything could be hosted there. But if you go to the specific subdomain you listed, it redirects to https://dl.fedoraproject.org/pub/, which should be legit. I don't see any security concerns here. – multithr3at3d Sep 04 '21 at 20:02
  • [Googling](https://www.google.com/search?q=d2lzkl7pfhq30w.cloudfront.net+epel) for the cloudfront mirror seems to turn up a number of normal results you'd expect if it was a legit mirror. – gowenfawr Sep 04 '21 at 21:08
  • Thanks! Still new at this. I got confused earlier when I saw that the epel-release on my server from that mirror was dating back to 2017 and the one I uploaded directly from one of the mirrors on the list was dated to 2020 - which prompted this question. – myke Sep 04 '21 at 23:18
  • How to accept answers from comments? – myke Sep 04 '21 at 23:24
  • "How to accept answers from comments?" You don't. Comments are comments, not answers. Someone has to write a proper answer (including if it is a rehash of what was in comments) and then you can accept that answer as solving your question. You can write the answer yourself in fact also. – Patrick Mevzek Sep 05 '21 at 03:24

0 Answers0