I’m setting up a website on a Centos7 VPS with certbot and let’s encrypt.
I am no expert on network security. I checked to see if my epel-release was pulling certbot from a legit mirror.
I ran yum search epel-release three times back-to-back and got 2 different answers: one epel-release mirror pointing to cloudfront.net and the other to constant.com.
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.vcu.edu * epel: d2lzkl7pfhq30w.cloudfront.net * extras: mirrors.wcupa.edu * updates: mirror.vcu.edu =================================================================== N/S matched: epel-release =================================================================== epel-release.noarch : Extra Packages for Enterprise Linux repository configuration Name and summary matches only, use "search all" for everything.
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.vcu.edu * epel: epel.mirror.constant.com * extras: mirrors.wcupa.edu * updates: mirror.vcu.edu
The constant.com mirror seems to be on the list of fedora mirrors. However, I could not find the cloudfront.net mirror on there. I saw online a few comments abount cloudfront.net being linked to virus/malware/adware, etc..
Before I realized any of this, I had already done my install of certbot using the cloudfront.net mirror. During installation, I never got any questions about a GPG key.
Has my system been compromised?
Is there anyway I can check that I got the right certbot installation? How can I check this after installation of certbot?