group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #27663
[Bug 1807023] Re: installer stock images fail to validate any HTTPS certificates (ca-certificates missing)
This bug was fixed in the package debian-installer - 20101020ubuntu543.4
---------------
debian-installer (20101020ubuntu543.4) bionic; urgency=medium
* build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
without d-i/allow_unauthenticated_ssl in stock initramfs image
as in Debian. (LP: #1807023)
-- Mauricio Faria de Oliveira <mfo@xxxxxxxxxxxxx> Mon, 26 Nov 2018
16:49:46 -0200
** Changed in: debian-installer (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1807023
Title:
installer stock images fail to validate any HTTPS certificates (ca-
certificates missing)
Status in debian-installer:
Fix Released
Status in ca-certificates package in Ubuntu:
Invalid
Status in debian-installer package in Ubuntu:
Fix Released
Status in ca-certificates source package in Trusty:
Fix Committed
Status in debian-installer source package in Trusty:
Fix Committed
Status in ca-certificates source package in Xenial:
Fix Committed
Status in debian-installer source package in Xenial:
Fix Committed
Status in ca-certificates source package in Bionic:
Invalid
Status in debian-installer source package in Bionic:
Fix Released
Status in ca-certificates source package in Cosmic:
Invalid
Status in debian-installer source package in Cosmic:
Fix Released
Status in ca-certificates source package in Disco:
Invalid
Status in debian-installer source package in Disco:
Fix Released
Status in debian-installer package in Debian:
Fix Released
Bug description:
[Impact]
* The installer stock images fail to validate any HTTPS
certificates because ca-certificates is not available
in the installer environment.
* This causes wget/download errors for preseed files on
HTTPS servers (or HTTP servers that redirect to HTTPS,
which are increasingly common nowadays - e.g., GitHub)
and theoretically any other files that are downloaded
with d-i-utils/fetch-url/wget.
* The fix is to ship ca-certificates-udeb in installer
stock images.
* Debian already ships ca-certificate-udeb in the stock
installer images; the fix is applied since Jan 2017.
(reference: Debian Bug #842040 / d-i commit 2f00c51a [1])
[Test Case]
* In the installer shell:
~ # wget http://github.com # or https://github.com
- FAIL if ca-certificates-udeb is missing:
"ERROR: cannot verify github.com's certificate, <...>'
- PASS if ca-certificates-udeb is available
"Saving to: 'index.html'"
* Test steps with virt-install and netboot images
are provided in the comments, for each release.
[Regression Potential]
* Low. This just adds the ca-certificates files in
/etc/ssl/certs and symlink in /usr/lib/ssl/certs,
so only tools looking for that would be affected.
* Apparently only wget checks for/uses those files,
and the difference in behavior is download errors
no longer occur.
[Notes]
* The ca-certificates-udeb is not currently present
in the Ubuntu 'main' component, but in 'universe',
despite the normal deb being in 'main'.
However, when rebuilding in a PPA it goes into
'main' accordingly, and can be used by default
by debian-installer (otherwise, UDEB_COMPONENTS
has to be modified to include universe/d-i).
* So this fix includes a no-change-rebuild for the
ca-certificates package, in order to publish the
udeb in the archive (at least in PPA for testing).
Hopefully that can be sorted out for this fix
to work out.
* The ca-certificates and debian-installer builds
have been done in a PPA using all architectures,
and testing has been done with the amd64 images.
* This fix is requested for Bionic, Cosmic, Disco
at least.
* The fix for Trusty and Xenial needed a little
bit more work to build/ship the (new) udeb.
(reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2])
It would be good to have them too if at all possible.
[1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6
[2] https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4
[Debugging]
For debugging purposes, one can install strace-udeb in the installer
to verify wget's stat() calls to /usr/lib/ssl/certs.
~ # anna-install strace-udeb
~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
+++ exited with 5 +++
~ #
~ # anna-install ca-certificates-udeb # not in archive yet.
unknown udeb ca-certificates-udeb
~ # wget --no-check-certificate
https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates-
udeb_20180409_all.udeb
~ # udpkg -i ca-certificates-udeb_20180409_all.udeb
~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0
stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
HTTP request sent, awaiting response... 200 OK
stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or directory)
Length: unspecified [text/html]
Saving to: 'STDOUT'
...
+++ exited with 0 +++
To manage notifications about this bug go to:
https://bugs.launchpad.net/debian-installer/+bug/1807023/+subscriptions