On 11/23/2016 05:17 PM, Philipp Kern wrote:
> In an effort to make HTTPS usable in the installer (e.g. to fetch
> preseed, authorized_keys files, or packages) ca-certificates needs to
> add a udeb with the certificates. The result has to be usable by
> openssl, which requires that c_rehash has been run on the directory.
> Unfortunately c_rehash is a Perl script that requires the openssl binary
> to run, so it's not suitable to run in the installer environment.
>
> Please find attached a patch that a) adds a ca-certificates-udeb
> package, b) installs all off Mozilla's certificates into /etc/ssl/certs
> and c) runs c_rehash on the resulting directory during build. I needed
> to rename dirs, postinst and postrm. Hence there are two patch files for
> clarity: one in unified format and one in git diff format.
>
> I'd be nice to have this in Stretch. Not having the certificates
> available blocked inclusion of a HTTPS-capable wget altogether.
One follow-up patch is needed here to make openssl pick up the certs.
/usr/lib/ssl/certs is the default search path compiled into openssl. On
a plain Debian system a symlink from /usr/lib/ssl/certs to
/etc/ssl/certs is shipped in the "openssl" binary package, but in the
installer environment we don't have that and shipping it in libssl's
udeb would be inconvenient.
--- /dev/null
+++ b/debian/ca-certificates-udeb.links
@@ -0,0 +1 @@
+etc/ssl/certs usr/lib/ssl/certs
--- a/debian/rules
+++ b/debian/rules
@@ -66,6 +66,7 @@ install: build
binary-indep: build install
dh_testdir
dh_testroot
+ dh_link
dh_installdebconf -n
dh_installdocs
dh_installexamples
With this addition to ca-certificates-udeb and with it and wget-udeb
included into the installer image, fetches via HTTPS work for me.
Kind regards and thanks
Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature