Ubuntu
debian-installer package

Netinstall ISO offers usage of HTTPS mirrors but lacks ca-certificates

Bug #1777474 reported by Pascal Ernster
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
debian-installer (Ubuntu)
New
Undecided
Unassigned

Bug Description

When using the netboot ISO (https://ftp.halifax.rwth-aachen.de/ubuntu/dists/bionic/main/installer-amd64/20101020ubuntu543/images/netboot/mini.iso) in the "expert command line mode", the installer asks the user to select between the protocols HTTP, HTTPS and FTP when specifying a mirror server. However, HTTPS mirrors don't work at all since the ISO lacks the "ca-certificates" package.

When using the installer in the "non-expert"/"normal" command line mode, even when manually specifying an HTTPS mirror, either HTTP gets used or the mirror server's certificates don't get checked at all (haven't found out yet which of the two possibilities applies).

Either way, the ca-certificates package should be included in the netboot iso.

Tags: bot-comment
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1777474/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Brian Murray (brian-murray)
affects: ubuntu → debian-installer (Ubuntu)
affects: debian-installer (Ubuntu) → ubuntu
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Assigning to debian-installer for now -- this might be an issue where ca-certificates is missing (since it needs to be there before you go get it from an https mirror, hopefully).

That said, is this issue reproducible using the standard iso image; the one available on http://cdimage.ubuntu.com/releases/bionic/release/ubuntu-18.04-server-amd64.iso ?

affects: ubuntu → debian-installer (Ubuntu)
Changed in debian-installer (Ubuntu):
status: New → Incomplete
Revision history for this message
Pascal Ernster (hardfalcon) wrote :

Yes, I can reproduce the issue with that ISO as well. Since I've booted the ISO in a VM with only a serial console and no video card, I've added "console=ttyS0,115200" to the installer kernel's cmdline in GRUB, and cancelled installation as soon as possible to get to the big menu with all the installation steps, so I could select "Execute shell". From there, I've tried downloading a file from an HTTPS site with a valid Let's Encrypt certificate, and got the ominous "ERROR: cannot verify $HOSTNAME's certificate, issued by $CA: Unable to locally verify the issuer's authority." message.

So yes, the "official" installer ISO images seem to lack the ca-certificates package as well.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for debian-installer (Ubuntu) because there has been no activity for 60 days.]

Changed in debian-installer (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Pascal Ernster (hardfalcon) wrote :

Can somebody please have a look at this? Booting an ISO and checking if HTTPS works, or simply adding a certain deb package to the default installer ISO shouldn't really be rocket science.

Changed in debian-installer (Ubuntu):
status: Expired → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.