[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#845456: Please add a udeb to ca-certificates

On 11/23/2016 05:17 PM, Philipp Kern wrote:
> In an effort to make HTTPS usable in the installer (e.g. to fetch
> preseed, authorized_keys files, or packages) ca-certificates needs to
> add a udeb with the certificates. The result has to be usable by
> openssl, which requires that c_rehash has been run on the directory.
> Unfortunately c_rehash is a Perl script that requires the openssl binary
> to run, so it's not suitable to run in the installer environment.
> Please find attached a patch that a) adds a ca-certificates-udeb
> package, b) installs all off Mozilla's certificates into /etc/ssl/certs
> and c) runs c_rehash on the resulting directory during build. I needed
> to rename dirs, postinst and postrm. Hence there are two patch files for
> clarity: one in unified format and one in git diff format.
> I'd be nice to have this in Stretch. Not having the certificates
> available blocked inclusion of a HTTPS-capable wget altogether.

One follow-up patch is needed here to make openssl pick up the certs.
/usr/lib/ssl/certs is the default search path compiled into openssl. On
a plain Debian system a symlink from /usr/lib/ssl/certs to
/etc/ssl/certs is shipped in the "openssl" binary package, but in the
installer environment we don't have that and shipping it in libssl's
udeb would be inconvenient.

--- /dev/null
+++ b/debian/ca-certificates-udeb.links
@@ -0,0 +1 @@
+etc/ssl/certs usr/lib/ssl/certs
--- a/debian/rules
+++ b/debian/rules
@@ -66,6 +66,7 @@ install: build
 binary-indep: build install
+       dh_link
        dh_installdebconf -n

With this addition to ca-certificates-udeb and with it and wget-udeb
included into the installer image, fetches via HTTPS work for me.

Kind regards and thanks
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: