Hello, Thank you for all these details. Sorry for my reply delay.
I did not see any other answer as you suggested. Following your troubleshooting, do you prefer to open this bug ? As you did all the investigation, maybe it would be more efficient to let you manage the bug? Or, if I can help/contribute the community, I don't see any problem to contribute as I can :) Another suggestion, if the bug cannot be fixed for Bullseye, maybe should add a note to the release note/installation documentation. Sylvain Le jeu. 27 mai 2021 à 12:19, Cyril Brulebois <k...@debian.org> a écrit : > > Cyril Brulebois <k...@debian.org> (2021-05-27): > > Further down the road, apt-setup runs, lets you request https, and the > > various generators/* scripts run apt-setup-verify to verify the > > configuration. That command basically runs wget inside /target (through > > in-target) to verify stuff, and since ca-certificates wasn't installed > > earlier (good guess!), that cannot work. > > Scratch that (my focus was on other things and I kept a wrong assumption > there): it calls `debconf-apt-progress` (rather than `wget`, pointing to > a temporary file where the tentative configuration is stored). > > And slightly more annoyingly, manually copying /etc/ssl(/certs) into > /target, beforehand or after a first failure before trying again, isn't > sufficient. > > The error message in apt comes from: > > // Credential setup > std::string fileinfo = Owner->ConfigFind("CaInfo", ""); > if (fileinfo.empty()) > { > // No CaInfo specified, use system trust store. > → err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials); > → if (err == 0) > → Owner->Warning("No system certificates available. Try installing > ca-certificates."); > else if (err < 0) > { > _error->Error("Could not load system TLS certificates: %s", > gnutls_strerror(err)); > return ResultState::FATAL_ERROR; > } > > A quick strace shows the following file (missing in the ca-certificates > udeb, and therefore in my manual copy into /target) is desired: > > /etc/ssl/certs/ca-certificates.crt > > And finally, concatenating all certificates into that single file seems > to make `debconf-apt-progress` happy, so maybe we would just have to > create the directory and ship that particular file there to avoid an > installation failure, and I would expect ca-certificates to just > re-regenerate that file upon installation/upgrade, so that might not > break anything (even if not really clean)? > > > Cheers, > -- > Cyril Brulebois (k...@debian.org) <https://debamax.com/> > D-I release manager -- Release team member -- Freelance Consultant