← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1807023] Re: installer stock images fail to validate any HTTPS certificates (ca-certificates missing)

 

This bug was fixed in the package debian-installer - 20101020ubuntu543.4

---------------
debian-installer (20101020ubuntu543.4) bionic; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <mfo@xxxxxxxxxxxxx>  Mon, 26 Nov 2018
16:49:46 -0200

** Changed in: debian-installer (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1807023

Title:
  installer stock images fail to validate any HTTPS certificates (ca-
  certificates missing)

Status in debian-installer:
  Fix Released
Status in ca-certificates package in Ubuntu:
  Invalid
Status in debian-installer package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Trusty:
  Fix Committed
Status in debian-installer source package in Trusty:
  Fix Committed
Status in ca-certificates source package in Xenial:
  Fix Committed
Status in debian-installer source package in Xenial:
  Fix Committed
Status in ca-certificates source package in Bionic:
  Invalid
Status in debian-installer source package in Bionic:
  Fix Released
Status in ca-certificates source package in Cosmic:
  Invalid
Status in debian-installer source package in Cosmic:
  Fix Released
Status in ca-certificates source package in Disco:
  Invalid
Status in debian-installer source package in Disco:
  Fix Released
Status in debian-installer package in Debian:
  Fix Released

Bug description:
  [Impact]

   * The installer stock images fail to validate any HTTPS
     certificates because ca-certificates is not available
     in the installer environment.

   * This causes wget/download errors for preseed files on
     HTTPS servers (or HTTP servers that redirect to HTTPS,
     which are increasingly common nowadays - e.g., GitHub)
     and theoretically any other files that are downloaded
     with d-i-utils/fetch-url/wget.

   * The fix is to ship ca-certificates-udeb in installer
     stock images.

   * Debian already ships ca-certificate-udeb in the stock
     installer images; the fix is applied since Jan 2017.
     (reference: Debian Bug #842040 / d-i commit 2f00c51a [1])

  [Test Case]

   * In the installer shell:

     ~ # wget http://github.com  # or https://github.com

     - FAIL if ca-certificates-udeb is missing:
       "ERROR: cannot verify github.com's certificate, <...>'

     - PASS if ca-certificates-udeb is available
       "Saving to: 'index.html'"

   * Test steps with virt-install and netboot images
     are provided in the comments, for each release.

  [Regression Potential]

   * Low. This just adds the ca-certificates files in
     /etc/ssl/certs and symlink in /usr/lib/ssl/certs,
     so only tools looking for that would be affected.

   * Apparently only wget checks for/uses those files,
     and the difference in behavior is download errors
     no longer occur.

  [Notes]

   * The ca-certificates-udeb is not currently present
     in the Ubuntu 'main' component, but in 'universe',
     despite the normal deb being in 'main'.

     However, when rebuilding in a PPA it goes into
     'main' accordingly, and can be used by default
     by debian-installer (otherwise, UDEB_COMPONENTS
     has to be modified to include universe/d-i).

   * So this fix includes a no-change-rebuild for the
     ca-certificates package, in order to publish the
     udeb in the archive (at least in PPA for testing).

     Hopefully that can be sorted out for this fix
     to work out.

   * The ca-certificates and debian-installer builds
     have been done in a PPA using all architectures,
     and testing has been done with the amd64 images.

   * This fix is requested for Bionic, Cosmic, Disco
     at least.

   * The fix for Trusty and Xenial needed a little
     bit more work to build/ship the (new) udeb.
     (reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2])

     It would be good to have them too if at all possible.

  [1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6
  [2] https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4

  [Debugging]

  For debugging purposes, one can install strace-udeb in the installer
  to verify wget's stat() calls to /usr/lib/ssl/certs.

  ~ # anna-install strace-udeb

  ~ # strace -e stat wget -O- https://github.com >/dev/null
  ...
  Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
  140.82.118.3, 140.82.118.4
  Connecting to github.com|140.82.118.3|:443... connected.
  stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
    Unable to locally verify the issuer's authority.
  To connect to github.com insecurely, use `--no-check-certificate'.
  +++ exited with 5 +++
  ~ #

  ~ # anna-install ca-certificates-udeb  # not in archive yet.
  unknown udeb ca-certificates-udeb

  ~ # wget --no-check-certificate
  https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates-
  udeb_20180409_all.udeb

  ~ # udpkg -i ca-certificates-udeb_20180409_all.udeb

  ~ # strace -e stat wget -O- https://github.com >/dev/null
  ...
  Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
  140.82.118.3, 140.82.118.4
  Connecting to github.com|140.82.118.3|:443... connected.
  stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0
  stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
  HTTP request sent, awaiting response... 200 OK
  stat("-", 0x7fffbb943558)               = -1 ENOENT (No such file or directory)
  Length: unspecified [text/html]
  Saving to: 'STDOUT'
  ...
  +++ exited with 0 +++

To manage notifications about this bug go to:
https://bugs.launchpad.net/debian-installer/+bug/1807023/+subscriptions