Re: Testing netinst and https mirror issue
Thank you for all these details.
Sorry for my reply delay.
I did not see any other answer as you suggested.
Following your troubleshooting, do you prefer to open this bug ?
As you did all the investigation, maybe it would be more efficient to
let you manage the bug?
Or, if I can help/contribute the community, I don't see any problem to
contribute as I can :)
Another suggestion, if the bug cannot be fixed for Bullseye, maybe
should add a note to the release note/installation documentation.
Le jeu. 27 mai 2021 à 12:19, Cyril Brulebois <email@example.com> a écrit :
> Cyril Brulebois <firstname.lastname@example.org> (2021-05-27):
> > Further down the road, apt-setup runs, lets you request https, and the
> > various generators/* scripts run apt-setup-verify to verify the
> > configuration. That command basically runs wget inside /target (through
> > in-target) to verify stuff, and since ca-certificates wasn't installed
> > earlier (good guess!), that cannot work.
> Scratch that (my focus was on other things and I kept a wrong assumption
> there): it calls `debconf-apt-progress` (rather than `wget`, pointing to
> a temporary file where the tentative configuration is stored).
> And slightly more annoyingly, manually copying /etc/ssl(/certs) into
> /target, beforehand or after a first failure before trying again, isn't
> The error message in apt comes from:
> // Credential setup
> std::string fileinfo = Owner->ConfigFind("CaInfo", "");
> if (fileinfo.empty())
> // No CaInfo specified, use system trust store.
> → err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials);
> → if (err == 0)
> → Owner->Warning("No system certificates available. Try installing ca-certificates.");
> else if (err < 0)
> _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err));
> return ResultState::FATAL_ERROR;
> A quick strace shows the following file (missing in the ca-certificates
> udeb, and therefore in my manual copy into /target) is desired:
> And finally, concatenating all certificates into that single file seems
> to make `debconf-apt-progress` happy, so maybe we would just have to
> create the directory and ship that particular file there to avoid an
> installation failure, and I would expect ca-certificates to just
> re-regenerate that file upon installation/upgrade, so that might not
> break anything (even if not really clean)?
> Cyril Brulebois (email@example.com) <https://debamax.com/>
> D-I release manager -- Release team member -- Freelance Consultant