Testing :: Bionic ================= original --------
wget http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main /installer-amd64/20101020ubuntu543.3/images/netboot/ubuntu- installer/amd64/{linux,initrd.gz} ~ # cat /etc/default-release bionic ~ # ls -d /usr/lib/ssl/certs/ ls: /usr/lib/ssl/certs/: No such file or directory ~ # wget http://github.com <...> HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/ [following] <...> ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US': Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. modified -------- wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/bionic/main /installer-amd64/20101020ubuntu543.4/images/netboot/ubuntu- installer/amd64/{linux,initrd.gz} ~ # cat /etc/default-release bionic ~ # ls -d /usr/lib/ssl/certs/ /usr/lib/ssl/certs/ ~ # wget http://github.com <...> HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/ [following] --2018-12-05 21:54:39-- https://github.com/ <...> Saving to: 'index.html' ** Description changed: [Impact] - * The installer stock images fail to validate any HTTPS - certificates because ca-certificates is not available - in the installer environment. + * The installer stock images fail to validate any HTTPS + certificates because ca-certificates is not available + in the installer environment. - * This causes wget/download errors for preseed files on - HTTPS servers (or HTTP servers that redirect to HTTPS, - which are increasingly common nowadays - e.g., GitHub) - and theoretically any other files that are downloaded - with d-i-utils/fetch-url/wget. + * This causes wget/download errors for preseed files on + HTTPS servers (or HTTP servers that redirect to HTTPS, + which are increasingly common nowadays - e.g., GitHub) + and theoretically any other files that are downloaded + with d-i-utils/fetch-url/wget. - * The fix is to ship ca-certificates-udeb in installer - stock images. + * The fix is to ship ca-certificates-udeb in installer + stock images. - * Debian already ships ca-certificate-udeb in the stock - installer images; the fix is applied since Jan 2017. - (reference: Debian Bug #842040 / d-i commit 2f00c51a [1]) + * Debian already ships ca-certificate-udeb in the stock + installer images; the fix is applied since Jan 2017. + (reference: Debian Bug #842040 / d-i commit 2f00c51a [1]) [Test Case] - * In the installer shell: + * In the installer shell: - ~ # wget http://github.com # or https://github.com + ~ # wget http://github.com # or https://github.com - - FAIL if ca-certificates-udeb is missing: - "ERROR: cannot verify github.com's certificate, <...>' + - FAIL if ca-certificates-udeb is missing: + "ERROR: cannot verify github.com's certificate, <...>' - - PASS if ca-certificates-udeb is available - "Saving to: 'index.html'" + - PASS if ca-certificates-udeb is available + "Saving to: 'index.html'" - * Test steps with virt-install and netboot images - are provided in the comments, for each release. + * Test steps with virt-install and netboot images + are provided in the comments, for each release. [Regression Potential] - * Low. This just adds the ca-certificates files in - /etc/ssl/certs and symlink in /usr/lib/ssl/certs, - so only tools looking for that would be affected. + * Low. This just adds the ca-certificates files in + /etc/ssl/certs and symlink in /usr/lib/ssl/certs, + so only tools looking for that would be affected. - * Apparently only wget checks for/uses those files, - and the difference in behavior is download errors - no longer occur. + * Apparently only wget checks for/uses those files, + and the difference in behavior is download errors + no longer occur. [Notes] - * The ca-certificates-udeb is not currently present - in the Ubuntu archive despite being available for - download in Launchpad with a link for some reason - (perhaps a problem during import from Debian/sid?) + * The ca-certificates-udeb is not currently present + in the Ubuntu archive despite being available for + download in Launchpad with a link for some reason + (perhaps a problem during import from Debian/sid?) - * So this fix includes a no-change-rebuild for the - ca-certificates package, in order to publish the - udeb in the archive. + * So this fix includes a no-change-rebuild for the + ca-certificates package, in order to publish the + udeb in the archive. - * The ca-certificates and debian-installer builds - have been done in a PPA using all architectures, - and testing has been done with the amd64 images. + * The ca-certificates and debian-installer builds + have been done in a PPA using all architectures, + and testing has been done with the amd64 images. - * This fix is request for Bionic, Cosmic, Disco. + * This fix is request for Bionic, Cosmic, Disco. - The older releases (Trusty, Xenial) are affected, - but not requested for, and would need more work, - as the udeb is not yet in the packaging but that - is doable if required for the process. + The older releases (Trusty, Xenial) are affected, + but not requested for, and would need more work, + as the udeb is not yet in the packaging but that + is doable if required for the process. [1] https://salsa.debian.org/installer-team/debian- installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6 + + [Debugging] + + For debugging/reference purposes, one can install strace-udeb in the + intaller to verify wget's stat() calls to /usr/lib/ssl/certs. + + ~ # anna-install strace-udeb + + ~ # strace -e stat wget -O- https://github.com >/dev/null + ... + Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 + 140.82.118.3, 140.82.118.4 + Connecting to github.com|140.82.118.3|:443... connected. + stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) + stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) + stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) + ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US': + Unable to locally verify the issuer's authority. + To connect to github.com insecurely, use `--no-check-certificate'. + +++ exited with 5 +++ + ~ # + + + ~ # anna-install ca-certificates-udeb # not in archive yet. + unknown udeb ca-certificates-udeb + + ~ # wget --no-check-certificate + https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates- + udeb_20180409_all.udeb + + ~ # udpkg -i ca-certificates-udeb_20180409_all.udeb + + + ~ # strace -e stat wget -O- https://github.com >/dev/null + ... + Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 + 140.82.118.3, 140.82.118.4 + Connecting to github.com|140.82.118.3|:443... connected. + stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) + stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0 + stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) + HTTP request sent, awaiting response... 200 OK + stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or directory) + Length: unspecified [text/html] + Saving to: 'STDOUT' + ... + +++ exited with 0 +++ ** Description changed: [Impact] * The installer stock images fail to validate any HTTPS certificates because ca-certificates is not available in the installer environment. * This causes wget/download errors for preseed files on HTTPS servers (or HTTP servers that redirect to HTTPS, which are increasingly common nowadays - e.g., GitHub) and theoretically any other files that are downloaded with d-i-utils/fetch-url/wget. * The fix is to ship ca-certificates-udeb in installer stock images. * Debian already ships ca-certificate-udeb in the stock installer images; the fix is applied since Jan 2017. (reference: Debian Bug #842040 / d-i commit 2f00c51a [1]) [Test Case] * In the installer shell: ~ # wget http://github.com # or https://github.com - FAIL if ca-certificates-udeb is missing: "ERROR: cannot verify github.com's certificate, <...>' - PASS if ca-certificates-udeb is available "Saving to: 'index.html'" * Test steps with virt-install and netboot images are provided in the comments, for each release. [Regression Potential] * Low. This just adds the ca-certificates files in /etc/ssl/certs and symlink in /usr/lib/ssl/certs, so only tools looking for that would be affected. * Apparently only wget checks for/uses those files, and the difference in behavior is download errors no longer occur. [Notes] * The ca-certificates-udeb is not currently present in the Ubuntu archive despite being available for download in Launchpad with a link for some reason (perhaps a problem during import from Debian/sid?) * So this fix includes a no-change-rebuild for the ca-certificates package, in order to publish the udeb in the archive. * The ca-certificates and debian-installer builds have been done in a PPA using all architectures, and testing has been done with the amd64 images. * This fix is request for Bionic, Cosmic, Disco. The older releases (Trusty, Xenial) are affected, but not requested for, and would need more work, as the udeb is not yet in the packaging but that is doable if required for the process. [1] https://salsa.debian.org/installer-team/debian- installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6 [Debugging] - For debugging/reference purposes, one can install strace-udeb in the - intaller to verify wget's stat() calls to /usr/lib/ssl/certs. + For debugging purposes, one can install strace-udeb in the installer to + verify wget's stat() calls to /usr/lib/ssl/certs. ~ # anna-install strace-udeb ~ # strace -e stat wget -O- https://github.com >/dev/null ... Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 140.82.118.3, 140.82.118.4 Connecting to github.com|140.82.118.3|:443... connected. stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory) ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US': - Unable to locally verify the issuer's authority. + Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. +++ exited with 5 +++ - ~ # - + ~ # ~ # anna-install ca-certificates-udeb # not in archive yet. - unknown udeb ca-certificates-udeb + unknown udeb ca-certificates-udeb ~ # wget --no-check-certificate https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates- udeb_20180409_all.udeb ~ # udpkg -i ca-certificates-udeb_20180409_all.udeb - ~ # strace -e stat wget -O- https://github.com >/dev/null ... Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0 140.82.118.3, 140.82.118.4 Connecting to github.com|140.82.118.3|:443... connected. stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0 stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory) HTTP request sent, awaiting response... 200 OK stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or directory) Length: unspecified [text/html] Saving to: 'STDOUT' ... +++ exited with 0 +++ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807023 Title: installer stock images fail to validate any HTTPS certificates (ca- certificates missing) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1807023/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
