[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Testing netinst and https mirror issue

Hello,

Thank you for all these details.
Sorry for my reply delay.

I did not see any other answer as you suggested.

Following your troubleshooting, do you prefer to open this bug ?
As you did all the investigation, maybe it would be more efficient to
let you manage the bug?
Or, if I can help/contribute the community, I don't see any problem to
contribute as I can :)

Another suggestion, if the bug cannot be fixed for Bullseye, maybe
should add a note to the release note/installation documentation.

Sylvain

Le jeu. 27 mai 2021 à 12:19, Cyril Brulebois <kibi@debian.org> a écrit :
>
> Cyril Brulebois <kibi@debian.org> (2021-05-27):
> > Further down the road, apt-setup runs, lets you request https, and the
> > various generators/* scripts run apt-setup-verify to verify the
> > configuration. That command basically runs wget inside /target (through
> > in-target) to verify stuff, and since ca-certificates wasn't installed
> > earlier (good guess!), that cannot work.
>
> Scratch that (my focus was on other things and I kept a wrong assumption
> there): it calls `debconf-apt-progress` (rather than `wget`, pointing to
> a temporary file where the tentative configuration is stored).
>
> And slightly more annoyingly, manually copying /etc/ssl(/certs) into
> /target, beforehand or after a first failure before trying again, isn't
> sufficient.
>
> The error message in apt comes from:
>
>    // Credential setup
>    std::string fileinfo = Owner->ConfigFind("CaInfo", "");
>    if (fileinfo.empty())
>    {
>       // No CaInfo specified, use system trust store.
> →     err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials);
> →     if (err == 0)
> →        Owner->Warning("No system certificates available. Try installing ca-certificates.");
>       else if (err < 0)
>       {
>          _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err));
>          return ResultState::FATAL_ERROR;
>       }
>
> A quick strace shows the following file (missing in the ca-certificates
> udeb, and therefore in my manual copy into /target) is desired:
>
>     /etc/ssl/certs/ca-certificates.crt
>
> And finally, concatenating all certificates into that single file seems
> to make `debconf-apt-progress` happy, so maybe we would just have to
> create the directory and ship that particular file there to avoid an
> installation failure, and I would expect ca-certificates to just
> re-regenerate that file upon installation/upgrade, so that might not
> break anything (even if not really clean)?
>
>
> Cheers,
> --
> Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
> D-I release manager -- Release team member -- Freelance Consultant
Reply to: