Re: Testing netinst and https mirror issue

To: Cyril Brulebois <kibi@debian.org>
Cc: debian-boot@lists.debian.org
Subject: Re: Testing netinst and https mirror issue
From: Sylvain Tgz <tarjaizaid@gmail.com>
Date: Tue, 25 May 2021 21:50:34 +0200
Message-id: <[🔎] CADJ1h1SMqFGM4SVM8S3fjPd7zAmR01H1G3AZ71YmkGXjRNz2-Q@mail.gmail.com>
In-reply-to: <[🔎] 20210524232326.z24ugmmdwojude5o@mraw.org>
References: <[🔎] CADJ1h1TOeqFXGC2pRvFjdEPToSNLHTk9N-SD1cOCtSjjNGuxeg@mail.gmail.com> <[🔎] 20210524232326.z24ugmmdwojude5o@mraw.org>

Hello Cyril,

Thank you for your reply.

> Which mirror? If its certificate has been emitted by one of the usual
> CAs (see the ca-certificates package[1]), I don't think you should be
> getting any trust issue.
>
>  1. https://tracker.debian.org/pkg/ca-certificates

Fastly mirror by using deb.debian.org
Sorry, I did not specify on my previous message, on syslog log during
the netinst, we can see an issue about certificate.
The error message : Certificate verification failed. The certificate
is NOT trusted.
I think ca-certificate is not loaded/used.
For me it's an issue about  missing root certificate.

I tested with your suggestion to use mirror/protocol=https in command
line and it works fine :).

I try again without mirror/protocol=https and the issue reappears

To reproduce the issue :
- Start Debian netinst
- Use Graphical expert installation mode
- At the step " configure the package manager" chose https.
- Use default option
Thie issue should be reproductible.

Could you try ?

Note : To avoid doubt, I use ISO as you listed. (it was this iso
previously used)
> For the avoidance of doubt, this matches this specific ISO:
>   https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso

Thanks
Sylvain

Le mar. 25 mai 2021 à 01:23, Cyril Brulebois <kibi@debian.org> a écrit :
>
> Hi Sylvain,
>
> Sylvain Tgz <tarjaizaid@gmail.com> (2021-05-24):
> > I just tested the netinst image.
> >
> > I tried to use a https mirror but it did not work.
> >
> > The "F4 console" display an issue about untrusted certificate.
>
> Which mirror? If its certificate has been emitted by one of the usual
> CAs (see the ca-certificates package[1]), I don't think you should be
> getting any trust issue.
>
>  1. https://tracker.debian.org/pkg/ca-certificates
>
> The last upload of this package is dated 2021-01-19, migration to
> testing 5 days later, and it's included in D-I Bullseye RC 1, which I've
> tested successfully against an HTTPS mirror, so the basics should be
> good, unless some other component broke in the meanwhile.
>
> Is the clock set up properly on that machine? Besides not having the
> right CA(s) configured, an offset of the clock side can lead to trust
> issue as well (certificate not yet valid or already expired).
>
> > I don't think this is an intended behavior, I'm wrong ?  If I'm wrong,
> > what would be the solution to use an HTTPS mirror ? I tried to find
> > information from documentation without success.  I rarely use the
> > netinst image (i'm a debootstrap addict :)), maybe I am missing some
> > information, if this is the case, I apologize in advance, please,
> > close this issue.
>
> There's nothing wrong with reporting a possible issue, don't worry.
>
> For my regular installation tests, I'm tweaking the kernel command line
> before starting the installation process. There might be better ways,
> I've just been using that for so long that I didn't perform any research
> lately. :D
>
> Setting this is sufficient:
>
>     mirror/protocol=https
>
> You'd probably get to the mirror selection stage with the “manual
> setting” choice set and deb.debian.org as hostname and /debian as
> directory. You can deviate from those in that particular screen, or you
> can also preseed those settings with those variables, also on the kernel
> command line:
>
>     mirror/https/hostname=deb.debian.org
>     mirror/https/directory=/debian
>
> As usual, use space as a separator between each parameter passed on the
> kernel command line.
>
> > Image used : weekly-builds
> > debian-testing-amd64-netinst.iso 2021-05-24 06:10 377M
> > sha512sum 28fbb57d329c919933feeaebf24f5767b9c6926aa27a407fd060fc9afebb9f8d2ff5dcc530589f58e2e1fe3f26c5e73b31a73f9357b501e31f12e1c9cc44de4c
>
> For the avoidance of doubt, this matches this specific ISO:
>   https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso
>
> And I've just tested an installation successfully by setting:
>
>     mirror/protocol=https
>
> then using mostly default choices.
>
>
> Cheers,
> --
> Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
> D-I release manager -- Release team member -- Freelance Consultant

Reply to:

Follow-Ups:
- Re: Testing netinst and https mirror issue
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Testing netinst and https mirror issue
  - From: Sylvain Tgz <tarjaizaid@gmail.com>
- Re: Testing netinst and https mirror issue
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#988776: Bug#983357: Netinst crashes xen domU when loading kernel
Next by Date: Re: Bug#988814: unblock: gtk+2.0/2.24.33-2
Previous by thread: Re: Testing netinst and https mirror issue
Next by thread: Re: Testing netinst and https mirror issue
Index(es):
- Date
- Thread