Bug#784811: d-i.debian.org: rmadison on dillon fails because of certificate checks

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#784811: d-i.debian.org: rmadison on dillon fails because of certificate checks
From: Cyril Brulebois <kibi@debian.org>
Date: Sat, 09 May 2015 04:26:07 +0200
Message-id: <[🔎] 20150509022607.26379.11620.reportbug@arya.home.mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 784811@bugs.debian.org

Package: d-i.debian.org
Severity: important

With the current setup on dillon, one needs to point https tools to the
right ca-file (/etc/ssl/ca-debian/ca-certificates.crt) and/or ca-path
(/etc/ssl/ca-debian). Unfortunately rmadison doesn't offer such options
for the time being and we get this:
| d-i@dillon:~/trunk/scripts$ rmadison linux
| debian:
| curl: (60) SSL certificate problem: unable to get local issuer certificate
| More details here: http://curl.haxx.se/docs/sslcerts.html
| 
| curl performs SSL certificate verification by default, using a "bundle"
|  of Certificate Authority (CA) public keys (CA certs). If the default
|  bundle file isn't adequate, you can specify an alternate file
|  using the --cacert option.
| If this HTTPS server uses a certificate signed by a CA represented in
|  the bundle, the certificate verification probably failed due to a
|  problem with the certificate (it might be expired, or the name might
|  not match the domain name in the URL).
| If you'd like to turn off curl's verification of the certificate, use
|  the -k (or --insecure) option.
| new:
| curl: (60) SSL certificate problem: unable to get local issuer certificate
| More details here: http://curl.haxx.se/docs/sslcerts.html
| 
| curl performs SSL certificate verification by default, using a "bundle"
|  of Certificate Authority (CA) public keys (CA certs). If the default
|  bundle file isn't adequate, you can specify an alternate file
|  using the --cacert option.
| If this HTTPS server uses a certificate signed by a CA represented in
|  the bundle, the certificate verification probably failed due to a
|  problem with the certificate (it might be expired, or the name might
|  not match the domain name in the URL).
| If you'd like to turn off curl's verification of the certificate, use
|  the -k (or --insecure) option.

I've crafted a patch and I'll block this bug report with it; I might set
up some workaround until this is resolved in a proper way.

Mraw,
KiBi.

Reply to:

Follow-Ups:
- Bug#784811: d-i.debian.org: rmadison on dillon fails because of certificate checks
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#784148: base-installer: NTP daemon should be installed on any system missing an RTC
Next by Date: Bug#784812: devscripts: [rmadison] please add support for alternate CA file/path
Previous by thread: Bug#783642: marked as done (d-i.debian.org: investigate testing-summary generation)
Next by thread: Bug#784811: d-i.debian.org: rmadison on dillon fails because of certificate checks
Index(es):
- Date
- Thread