Package Contents :: Xenial
==========================
No regressions in ca-certificate DEB file
after the changes to build the UDEB file.
The only difference is due to the changes
in changelog file and package version.
dpkg-deb -c (content listing)
-----------
$ dpkg-deb -c ca-certificates_20170717~16.04.2_all.deb | sed
's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new
$ dpkg-deb -c ca-certificates_20170717~16.04.1_all.deb | sed
's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old
$ diff dpkg-deb_-c.{old,new}
14c14
< -rw-r--r-- root/root 12885 2017-09-27 HH:MM
./usr/share/doc/ca-certificates/changelog.gz
---
> -rw-r--r-- root/root 12948 2018-12-06 HH:MM
> ./usr/share/doc/ca-certificates/changelog.gz
dpkg-deb -x (content files)
-----------
$ dpkg-deb -x ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-x.old
$ dpkg-deb -x ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-x.new
$ diff -r dpkg-deb_-x.{old,new}
Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and
dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ
dpkg-deb -e (control files)
-----------
$ dpkg-deb -e ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-e.new
$ dpkg-deb -e ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-e.old
$ diff -r dpkg-deb_-e.{old,new}
diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control
2c2
< Version: 20170717~16.04.1
---
> Version: 20170717~16.04.2
diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums
151c151
< fc0ff87421a0735d09e88bdf444dc760 usr/share/doc/ca-certificates/changelog.gz
---
> 5596056c49179e32312e93f4c7296987 usr/share/doc/ca-certificates/changelog.gz
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807023
Title:
installer stock images fail to validate any HTTPS certificates (ca-
certificates missing)
Status in debian-installer:
Unknown
Status in ca-certificates package in Ubuntu:
In Progress
Status in debian-installer package in Ubuntu:
In Progress
Status in ca-certificates source package in Trusty:
New
Status in debian-installer source package in Trusty:
New
Status in ca-certificates source package in Xenial:
New
Status in debian-installer source package in Xenial:
New
Status in ca-certificates source package in Bionic:
In Progress
Status in debian-installer source package in Bionic:
In Progress
Status in ca-certificates source package in Cosmic:
In Progress
Status in debian-installer source package in Cosmic:
In Progress
Status in ca-certificates source package in Disco:
In Progress
Status in debian-installer source package in Disco:
In Progress
Status in debian-installer package in Debian:
Fix Released
Bug description:
[Impact]
* The installer stock images fail to validate any HTTPS
certificates because ca-certificates is not available
in the installer environment.
* This causes wget/download errors for preseed files on
HTTPS servers (or HTTP servers that redirect to HTTPS,
which are increasingly common nowadays - e.g., GitHub)
and theoretically any other files that are downloaded
with d-i-utils/fetch-url/wget.
* The fix is to ship ca-certificates-udeb in installer
stock images.
* Debian already ships ca-certificate-udeb in the stock
installer images; the fix is applied since Jan 2017.
(reference: Debian Bug #842040 / d-i commit 2f00c51a [1])
[Test Case]
* In the installer shell:
~ # wget http://github.com # or https://github.com
- FAIL if ca-certificates-udeb is missing:
"ERROR: cannot verify github.com's certificate, <...>'
- PASS if ca-certificates-udeb is available
"Saving to: 'index.html'"
* Test steps with virt-install and netboot images
are provided in the comments, for each release.
[Regression Potential]
* Low. This just adds the ca-certificates files in
/etc/ssl/certs and symlink in /usr/lib/ssl/certs,
so only tools looking for that would be affected.
* Apparently only wget checks for/uses those files,
and the difference in behavior is download errors
no longer occur.
[Notes]
* The ca-certificates-udeb is not currently present
in the Ubuntu 'main' component, but in 'universe',
despite the normal deb being in 'main'.
However, when rebuilding in a PPA it goes into
'main' accordingly, and can be used by default
by debian-installer (otherwise, UDEB_COMPONENTS
has to be modified to include universe/d-i).
* So this fix includes a no-change-rebuild for the
ca-certificates package, in order to publish the
udeb in the archive (at least in PPA for testing).
Hopefully that can be sorted out for this fix
to work out.
* The ca-certificates and debian-installer builds
have been done in a PPA using all architectures,
and testing has been done with the amd64 images.
* This fix is requested for Bionic, Cosmic, Disco
at least.
* The fix for Trusty and Xenial needed a little
bit more work to build/ship the (new) udeb.
(reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2])
It would be good to have them too if at all possible.
[1]
https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6
[2]
https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4
[Debugging]
For debugging purposes, one can install strace-udeb in the installer
to verify wget's stat() calls to /usr/lib/ssl/certs.
~ # anna-install strace-udeb
~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644,
st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such
file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such
file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such
file or directory)
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2
Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
+++ exited with 5 +++
~ #
~ # anna-install ca-certificates-udeb # not in archive yet.
unknown udeb ca-certificates-udeb
~ # wget --no-check-certificate
https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates-
udeb_20180409_all.udeb
~ # udpkg -i ca-certificates-udeb_20180409_all.udeb
~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644,
st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such
file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367,
...}) = 0
stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such
file or directory)
HTTP request sent, awaiting response... 200 OK
stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or
directory)
Length: unspecified [text/html]
Saving to: 'STDOUT'
...
+++ exited with 0 +++
To manage notifications about this bug go to:
https://bugs.launchpad.net/debian-installer/+bug/1807023/+subscriptions
--
Mailing list: https://launchpad.net/~sts-sponsors
Post to : sts-sponsors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~sts-sponsors
More help : https://help.launchpad.net/ListHelp
