Cyril Brulebois <kibi@debian.org> (2021-05-27):
> Further down the road, apt-setup runs, lets you request https, and the
> various generators/* scripts run apt-setup-verify to verify the
> configuration. That command basically runs wget inside /target (through
> in-target) to verify stuff, and since ca-certificates wasn't installed
> earlier (good guess!), that cannot work.
Scratch that (my focus was on other things and I kept a wrong assumption
there): it calls `debconf-apt-progress` (rather than `wget`, pointing to
a temporary file where the tentative configuration is stored).
And slightly more annoyingly, manually copying /etc/ssl(/certs) into
/target, beforehand or after a first failure before trying again, isn't
sufficient.
The error message in apt comes from:
// Credential setup
std::string fileinfo = Owner->ConfigFind("CaInfo", "");
if (fileinfo.empty())
{
// No CaInfo specified, use system trust store.
→ err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials);
→ if (err == 0)
→ Owner->Warning("No system certificates available. Try installing ca-certificates.");
else if (err < 0)
{
_error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err));
return ResultState::FATAL_ERROR;
}
A quick strace shows the following file (missing in the ca-certificates
udeb, and therefore in my manual copy into /target) is desired:
/etc/ssl/certs/ca-certificates.crt
And finally, concatenating all certificates into that single file seems
to make `debconf-apt-progress` happy, so maybe we would just have to
create the directory and ship that particular file there to avoid an
installation failure, and I would expect ca-certificates to just
re-regenerate that file upon installation/upgrade, so that might not
break anything (even if not really clean)?
Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature