Re: Testing netinst and https mirror issue

To: Sylvain Tgz <tarjaizaid@gmail.com>
Cc: debian-boot@lists.debian.org
Subject: Re: Testing netinst and https mirror issue
From: Cyril Brulebois <kibi@debian.org>
Date: Tue, 25 May 2021 01:23:26 +0200
Message-id: <[🔎] 20210524232326.z24ugmmdwojude5o@mraw.org>
In-reply-to: <[🔎] CADJ1h1TOeqFXGC2pRvFjdEPToSNLHTk9N-SD1cOCtSjjNGuxeg@mail.gmail.com>
References: <[🔎] CADJ1h1TOeqFXGC2pRvFjdEPToSNLHTk9N-SD1cOCtSjjNGuxeg@mail.gmail.com>

Hi Sylvain,

Sylvain Tgz <tarjaizaid@gmail.com> (2021-05-24):
> I just tested the netinst image.
> 
> I tried to use a https mirror but it did not work.
> 
> The "F4 console" display an issue about untrusted certificate.

Which mirror? If its certificate has been emitted by one of the usual
CAs (see the ca-certificates package[1]), I don't think you should be
getting any trust issue.

 1. https://tracker.debian.org/pkg/ca-certificates

The last upload of this package is dated 2021-01-19, migration to
testing 5 days later, and it's included in D-I Bullseye RC 1, which I've
tested successfully against an HTTPS mirror, so the basics should be
good, unless some other component broke in the meanwhile.

Is the clock set up properly on that machine? Besides not having the
right CA(s) configured, an offset of the clock side can lead to trust
issue as well (certificate not yet valid or already expired).

> I don't think this is an intended behavior, I'm wrong ?  If I'm wrong,
> what would be the solution to use an HTTPS mirror ? I tried to find
> information from documentation without success.  I rarely use the
> netinst image (i'm a debootstrap addict :)), maybe I am missing some
> information, if this is the case, I apologize in advance, please,
> close this issue.

There's nothing wrong with reporting a possible issue, don't worry.

For my regular installation tests, I'm tweaking the kernel command line
before starting the installation process. There might be better ways,
I've just been using that for so long that I didn't perform any research
lately. :D

Setting this is sufficient:

    mirror/protocol=https

You'd probably get to the mirror selection stage with the “manual
setting” choice set and deb.debian.org as hostname and /debian as
directory. You can deviate from those in that particular screen, or you
can also preseed those settings with those variables, also on the kernel
command line:

    mirror/https/hostname=deb.debian.org
    mirror/https/directory=/debian

As usual, use space as a separator between each parameter passed on the
kernel command line.

> Image used : weekly-builds
> debian-testing-amd64-netinst.iso 2021-05-24 06:10 377M
> sha512sum 28fbb57d329c919933feeaebf24f5767b9c6926aa27a407fd060fc9afebb9f8d2ff5dcc530589f58e2e1fe3f26c5e73b31a73f9357b501e31f12e1c9cc44de4c

For the avoidance of doubt, this matches this specific ISO:
  https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso

And I've just tested an installation successfully by setting:

    mirror/protocol=https

then using mostly default choices.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Testing netinst and https mirror issue
  - From: Sylvain Tgz <tarjaizaid@gmail.com>

References:
- Testing netinst and https mirror issue
  - From: Sylvain Tgz <tarjaizaid@gmail.com>

Prev by Date: Bug#987377: rescue-mode: when in graphical mode, locks up one prompt before the shell
Next by Date: Processing of grub-installer_1.178_source.changes
Previous by thread: Testing netinst and https mirror issue
Next by thread: Re: Testing netinst and https mirror issue
Index(es):
- Date
- Thread