Public bug reported:
[Impact]
* fetch-url fails to download files from URL with HTTP to HTTPS
redirect if server has invalid/cannot be verified certificate.
* Install fails in case a preseed/other files use an HTTP URL
that redirects to an HTTPS URL with an invalid certificate.
* Servers/URLs that started using HTTP to HTTPS redirect and
have their URLs already spread over scripts/infrastructure
start to cause install/deployment failures.
* This fix checks for debian-installer/allow_unauthenticated_ssl
in the HTTP protocol as well (to enable --no-check-certificate),
which is OK as that option must be explicitly enabled by users,
indicating awareness of the SSL/HTTPS context and certificates
that may not be verified.
[Test Case]
* Setup web-server with HTTP to HTTPS redirect and an invalid/
self-signed certificate, and put a file (eg, preseed) on it.
* Boot with preseed option 'url=http://<server>/preseed' and
the install will fail in the 'network-preseed' stage, with
syslog errors about invalid/cannot be verified certificates,
suggesting the 'wget --no-check-certificate' option.
* Other files downloaded by the installer can hit same error,
if using HTTP URLs from that server.
* In the installer shell, run:
~ # fetch-url http://<server>/<file>
[Regression Potential]
* Low risk of regression, this only expands the check from HTTPS-only
to HTTPS or HTTP, to *then* check for d-i/allow_unauthenticated_ssl.
* The theoretical case is that a HTTP URL with no redirect to HTTPS
may use --no-check-certificate, thus without actually needing it,
(it should not cause problems at all, the option should be ignored)
but anyway, since the user acknowledged that sort of behavior with
the d-i/allow_unauthenticated_ssl, that should not be a concern.
[Other Info]
* Debian Bug #913740.
[Problem Description]
In fetch-url the --no-check-certificate option is conditioned to HTTPS.
In case of HTTP to HTTPS redirect, that option is not enabled, and may
cause fetch-url to fail if the certificate cannot be verified.
Since that option/functionality must be explicitly requested with the
debian-installer/allow_unauthenticated_ssl preseed option (i.e., user
is aware of SSL/HTTPS context and agrees w/ non-verified certificates)
we can just check for this in the HTTP protocol too, and assume HTTPS
may potentially be used, as the user specified this option.
An alternative/obvious solution in the _user_ side is to specify HTTPS
URLs upfront, but there are cases when an user does not know for sure
whether the server uses/supports that, or the server might change its
behavior and start HTTP to HTTPS redirect after URLs have spread over
(e.g., scripts and infrastructure) - thus a fix in the installer side
is a simpler and more complete approach.
** Affects: debian-installer-utils (Ubuntu)
Importance: Undecided
Assignee: Mauricio Faria de Oliveira (mfo)
Status: Confirmed
** Affects: debian-installer-utils (Debian)
Importance: Unknown
Status: Unknown
** Changed in: debian-installer-utils (Ubuntu)
Status: New => Confirmed
** Changed in: debian-installer-utils (Ubuntu)
Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1803385
Title:
fetch-url does not use --no-check-certificate on HTTP to HTTPS
redirects
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-installer-utils/+bug/1803385/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
