[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Testing netinst and https mirror issue

Cyril Brulebois <kibi@debian.org> (2021-05-27):
> Further down the road, apt-setup runs, lets you request https, and the
> various generators/* scripts run apt-setup-verify to verify the
> configuration. That command basically runs wget inside /target (through
> in-target) to verify stuff, and since ca-certificates wasn't installed
> earlier (good guess!), that cannot work.

Scratch that (my focus was on other things and I kept a wrong assumption
there): it calls `debconf-apt-progress` (rather than `wget`, pointing to
a temporary file where the tentative configuration is stored).

And slightly more annoyingly, manually copying /etc/ssl(/certs) into
/target, beforehand or after a first failure before trying again, isn't

The error message in apt comes from:

   // Credential setup
   std::string fileinfo = Owner->ConfigFind("CaInfo", "");
   if (fileinfo.empty())
      // No CaInfo specified, use system trust store.
→     err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials);
→     if (err == 0)
→        Owner->Warning("No system certificates available. Try installing ca-certificates.");
      else if (err < 0)
         _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err));
         return ResultState::FATAL_ERROR;

A quick strace shows the following file (missing in the ca-certificates
udeb, and therefore in my manual copy into /target) is desired:


And finally, concatenating all certificates into that single file seems
to make `debconf-apt-progress` happy, so maybe we would just have to
create the directory and ship that particular file there to avoid an
installation failure, and I would expect ca-certificates to just
re-regenerate that file upon installation/upgrade, so that might not
break anything (even if not really clean)?

Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: