installer stock images fail to validate any HTTPS certificates (ca-certificates missing)

Bug #1807023 reported by Mauricio Faria de Oliveira on 2018-12-05
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
debian-installer
Fix Released
Unknown
ca-certificates (Ubuntu)
Medium
Unassigned
Trusty
Medium
Mauricio Faria de Oliveira
Xenial
Medium
Mauricio Faria de Oliveira
Bionic
Medium
Unassigned
Cosmic
Medium
Unassigned
Disco
Medium
Unassigned
debian-installer (Debian)
Fix Released
Unknown
debian-installer (Ubuntu)
Medium
Mauricio Faria de Oliveira
Trusty
Medium
Mauricio Faria de Oliveira
Xenial
Medium
Mauricio Faria de Oliveira
Bionic
Medium
Mauricio Faria de Oliveira
Cosmic
Medium
Mauricio Faria de Oliveira
Disco
Medium
Mauricio Faria de Oliveira

Bug Description

[Impact]

 * The installer stock images fail to validate any HTTPS
   certificates because ca-certificates is not available
   in the installer environment.

 * This causes wget/download errors for preseed files on
   HTTPS servers (or HTTP servers that redirect to HTTPS,
   which are increasingly common nowadays - e.g., GitHub)
   and theoretically any other files that are downloaded
   with d-i-utils/fetch-url/wget.

 * The fix is to ship ca-certificates-udeb in installer
   stock images.

 * Debian already ships ca-certificate-udeb in the stock
   installer images; the fix is applied since Jan 2017.
   (reference: Debian Bug #842040 / d-i commit 2f00c51a [1])

[Test Case]

 * In the installer shell:

   ~ # wget http://github.com # or https://github.com

   - FAIL if ca-certificates-udeb is missing:
     "ERROR: cannot verify github.com's certificate, <...>'

   - PASS if ca-certificates-udeb is available
     "Saving to: 'index.html'"

 * Test steps with virt-install and netboot images
   are provided in the comments, for each release.

[Regression Potential]

 * Low. This just adds the ca-certificates files in
   /etc/ssl/certs and symlink in /usr/lib/ssl/certs,
   so only tools looking for that would be affected.

 * Apparently only wget checks for/uses those files,
   and the difference in behavior is download errors
   no longer occur.

[Notes]

 * The ca-certificates-udeb is not currently present
   in the Ubuntu 'main' component, but in 'universe',
   despite the normal deb being in 'main'.

   However, when rebuilding in a PPA it goes into
   'main' accordingly, and can be used by default
   by debian-installer (otherwise, UDEB_COMPONENTS
   has to be modified to include universe/d-i).

 * So this fix includes a no-change-rebuild for the
   ca-certificates package, in order to publish the
   udeb in the archive (at least in PPA for testing).

   Hopefully that can be sorted out for this fix
   to work out.

 * The ca-certificates and debian-installer builds
   have been done in a PPA using all architectures,
   and testing has been done with the amd64 images.

 * This fix is requested for Bionic, Cosmic, Disco
   at least.

 * The fix for Trusty and Xenial needed a little
   bit more work to build/ship the (new) udeb.
   (reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2])

   It would be good to have them too if at all possible.

[1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6
[2] https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4

[Debugging]

For debugging purposes, one can install strace-udeb in the installer to verify wget's stat() calls to /usr/lib/ssl/certs.

~ # anna-install strace-udeb

~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
+++ exited with 5 +++
~ #

~ # anna-install ca-certificates-udeb # not in archive yet.
unknown udeb ca-certificates-udeb

~ # wget --no-check-certificate https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates-udeb_20180409_all.udeb

~ # udpkg -i ca-certificates-udeb_20180409_all.udeb

~ # strace -e stat wget -O- https://github.com >/dev/null
...
Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
140.82.118.3, 140.82.118.4
Connecting to github.com|140.82.118.3|:443... connected.
stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0
stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
HTTP request sent, awaiting response... 200 OK
stat("-", 0x7fffbb943558) = -1 ENOENT (No such file or directory)
Length: unspecified [text/html]
Saving to: 'STDOUT'
...
+++ exited with 0 +++

Testing steps common to all releases:
====================================

$ wget <netboot linux/initrd.img>

$ virt-install \
  --name RELEASE \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait for network configuration steps to occur, then:
In dialog 'Download debconf preconfiguration file' select 'Continue'.
In dialog 'Select a language' select 'Go Back'.
In menu select 'Execute a shell', then select 'Continue'.

~ # cat /etc/default-release # for reference
~ # ls -d /usr/lib/ssl/certs/ # check if available

~ # wget http://github.com # check error/success

Then ctrl+] to exit virsh console, and destroy/wipe guest.
$ virsh destroy RELEASE
$ virsh undefine --remove-all-storage RELEASE

Testing :: Disco
================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/disco/main/installer-amd64/20101020ubuntu559/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
disco

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

Then ctrl+] to exit console, and
$ virsh destroy disco; virsh undefine --remove-all-storage disco

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/disco/main/installer-amd64/20101020ubuntu560/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
disco

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
Saving to: 'index.html'

Testing :: Cosmic
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/cosmic/main/installer-amd64/20101020ubuntu557/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
cosmic

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/cosmic/main/installer-amd64/20101020ubuntu557.1/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
cosmic

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
Saving to: 'index.html'

Testing :: Bionic
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/installer-amd64/20101020ubuntu543.3/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
bionic

~ # ls -d /usr/lib/ssl/certs/
ls: /usr/lib/ssl/certs/: No such file or directory

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
<...>
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/bionic/main/installer-amd64/20101020ubuntu543.4/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
bionic

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
<...>
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-05 21:54:39-- https://github.com/
<...>
Saving to: 'index.html'

description: updated
description: updated

The debdiffs for ca-certificates and debian-installer for Disco/Cosmic/Bionic were uploaded.

Changed in debian-installer (Ubuntu):
assignee: nobody → Mauricio Faria de Oliveira (mfo)

The attachment "ca-certificates_disco.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Dan Streetman (ddstreet) on 2018-12-06
tags: added: sts sts-sponsor sts-sponsor-ddstreet
Dan Streetman (ddstreet) on 2018-12-06
Changed in debian-installer (Ubuntu Disco):
status: New → In Progress
Changed in debian-installer (Ubuntu Cosmic):
status: New → In Progress
Changed in debian-installer (Ubuntu Bionic):
status: New → In Progress
Changed in debian-installer (Ubuntu Xenial):
status: New → In Progress
status: In Progress → New
Changed in debian-installer (Ubuntu Disco):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Bionic):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Xenial):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Trusty):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Cosmic):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in debian-installer (Ubuntu Bionic):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in debian-installer (Debian):
status: Unknown → Fix Released
Dan Streetman (ddstreet) wrote :

fix LP: #NNNNN tag in commit description

Dan Streetman (ddstreet) wrote :

upload correct fixed debdiff :)

Dan Streetman (ddstreet) wrote :

rename disco debdiff to add pkg name since this bug has 2 pkgs

Dan Streetman (ddstreet) on 2018-12-06
Changed in ca-certificates (Ubuntu Bionic):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
importance: Undecided → Medium
status: New → In Progress
Changed in ca-certificates (Ubuntu Cosmic):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
importance: Undecided → Medium
status: New → In Progress
Changed in ca-certificates (Ubuntu Disco):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
importance: Undecided → Medium
status: New → In Progress
Dan Streetman (ddstreet) wrote :

attached debdiffs for ca-certificates and debian-installer for b/c/d with LP: #NNN tag corrected to use this bug number.

Eric Desrochers (slashd) wrote :

d-i for disco uploaded but it now FTBFS because it cannot locate ca-certificate-udeb.

For some reasons, I didn't notice before hand but ca-certificates (deb)[1] is found in "main" but ca-certificates (udeb)[2] in 'Universe' and I suspect the build failure is due to the fact that the builder doesn't look in 'universe' for it, as it needs to be in 'main'

@archive-admin
Since ca-certificate is already in 'main' can we promote its udeb into 'main' as well ?
Without the need of a MIR ?

Note: We tried to rebuild ca-certificates w/ no change and see if the new udeb would be in 'main' but it remained in 'universe' so this will definitely require an archive admin manipulation.

I already pinged them on #ubuntu-release (Freenode)

[1] - http://archive.ubuntu.com/ubuntu/pool/main/c/ca-certificates/
[2] - http://archive.ubuntu.com/ubuntu/pool/universe/c/ca-certificates/

- Eric

Testing :: Xenial
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/20101020ubuntu451.26/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
xenial

~ # ls -d /usr/lib/ssl/certs
ls: /usr/lib/ssl/certs: No such file or directory

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
~ #

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/xenial/main/installer-amd64/20101020ubuntu451.27/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
xenial

~ # ls -d /usr/lib/ssl/certs
/usr/lib/ssl/certs

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
Saving to: 'index.html'

Testing :: Trusty
=================

original
--------

wget http://archive.ubuntu.com/ubuntu/dists/trusty-updates/main/installer-amd64/20101020ubuntu318.44/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

<trusty needs to proceed manually/press enter a few times in the installer>

~ # cat /etc/default-release
trusty

~ # ls -d /usr/lib/ssl/certs
ls: /usr/lib/ssl/certs: No such file or directory

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

modified
--------

wget http://ppa.launchpad.net/mfo/sf205192/ubuntu/dists/trusty/main/installer-amd64/20101020ubuntu318.45/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

~ # cat /etc/default-release
trusty

~ # ls -d /usr/lib/ssl/certs
/usr/lib/ssl/certs

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
...
Saving to: 'index.html'

description: updated

The ca-certificates fix for Xenial and Trusty
include the changes to build the (new) udeb.

The normal deb package has been verified for
regressions (next comments) and it is correct,
with no functional changes whatsoever.

Package Contents :: Xenial
==========================

No regressions in ca-certificate DEB file
after the changes to build the UDEB file.

The only difference is due to the changes
in changelog file and package version.

dpkg-deb -c (content listing)
-----------

$ dpkg-deb -c ca-certificates_20170717~16.04.2_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new
$ dpkg-deb -c ca-certificates_20170717~16.04.1_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old

$ diff dpkg-deb_-c.{old,new}
14c14
< -rw-r--r-- root/root 12885 2017-09-27 HH:MM ./usr/share/doc/ca-certificates/changelog.gz
---
> -rw-r--r-- root/root 12948 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz

dpkg-deb -x (content files)
-----------

$ dpkg-deb -x ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-x.old
$ dpkg-deb -x ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-x.new

$ diff -r dpkg-deb_-x.{old,new}
Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ

dpkg-deb -e (control files)
-----------

$ dpkg-deb -e ca-certificates_20170717~16.04.2_all.deb dpkg-deb_-e.new
$ dpkg-deb -e ca-certificates_20170717~16.04.1_all.deb dpkg-deb_-e.old

$ diff -r dpkg-deb_-e.{old,new}
diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control
2c2
< Version: 20170717~16.04.1
---
> Version: 20170717~16.04.2
diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums
151c151
< fc0ff87421a0735d09e88bdf444dc760 usr/share/doc/ca-certificates/changelog.gz
---
> 5596056c49179e32312e93f4c7296987 usr/share/doc/ca-certificates/changelog.gz

Package Contents :: Trusty
==========================

No regressions in ca-certificate DEB file
after the changes to build the UDEB file.

The only difference is due to the changes
in changelog file and package version.

dpkg-deb -c (content listing)
-----------

$ dpkg-deb -c ca-certificates_20170717~14.04.1_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.old
$ dpkg-deb -c ca-certificates_20170717~14.04.2_all.deb | sed 's/[0-9][0-9]:[0-9][0-9]/HH:MM/' > dpkg-deb_-c.new

$ diff dpkg-deb_-c.{old,new}
14c14
< -rw-r--r-- root/root 11052 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz
---
> -rw-r--r-- root/root 11108 2018-12-06 HH:MM ./usr/share/doc/ca-certificates/changelog.gz

dpkg-deb -x (content files)
-----------

$ dpkg-deb -x ca-certificates_20170717~14.04.1_all.deb dpkg-deb_-x.old
$ dpkg-deb -x ca-certificates_20170717~14.04.2_all.deb dpkg-deb_-x.new

$ diff -r dpkg-deb_-x.{old,new}
Binary files dpkg-deb_-x.old/usr/share/doc/ca-certificates/changelog.gz and dpkg-deb_-x.new/usr/share/doc/ca-certificates/changelog.gz differ

dpkg-deb -e (control files)
-----------

$ dpkg-deb -e ca-certificates_20170717~14.04.1_all.deb dpkg-deb_-e.old
$ dpkg-deb -e ca-certificates_20170717~14.04.2_all.deb dpkg-deb_-e.new

$ diff -r dpkg-deb_-e.{old,new}
diff -r dpkg-deb_-e.old/control dpkg-deb_-e.new/control
2c2
< Version: 20170717~14.04.1
---
> Version: 20170717~14.04.2
diff -r dpkg-deb_-e.old/md5sums dpkg-deb_-e.new/md5sums
151c151
< c410ab88c14eab543d0c57f08b104895 usr/share/doc/ca-certificates/changelog.gz
---
> da9525233e9c26a1b101bd9be04280d0 usr/share/doc/ca-certificates/changelog.gz

description: updated
Eric Desrochers (slashd) wrote :

From #ubuntu-release (freenode)

With regards to the FTBFS situation with ca-certificates-udeb:

<infinity> slashd: Promoted. I'll retry the builds when the publisher's done moving it around.
<infinity> slashd: Just disco. For other releases, it'll require some fiddling.

I'll continue with the SRU as soon as disco is building fine and goes into -releases.

Dan Streetman (ddstreet) wrote :

removing the sponsors team - please nobody upload this! @slashd or i will sru when ready.

Eric Desrochers (slashd) wrote :

Please do the necessary to make sure we don't upload ca-certificates by mistake again.

I would suggest we :
1) Remove the debdiff
2) Set the status for ca-certificates to "Won't Fix"

To avoid confusion.

The ca-certificates work need to be done by an archive admin, no rebuild needed.

Regards,
Eric

Dan Streetman (ddstreet) on 2018-12-07
Changed in ca-certificates (Ubuntu Disco):
assignee: Mauricio Faria de Oliveira (mfo) → nobody
status: In Progress → Invalid
Changed in ca-certificates (Ubuntu Cosmic):
assignee: Mauricio Faria de Oliveira (mfo) → nobody
status: In Progress → Invalid
Changed in ca-certificates (Ubuntu Bionic):
assignee: Mauricio Faria de Oliveira (mfo) → nobody
status: In Progress → Invalid
Changed in ca-certificates (Ubuntu Xenial):
status: New → Invalid
assignee: nobody → Mauricio Faria de Oliveira (mfo)
status: Invalid → In Progress
Changed in ca-certificates (Ubuntu Trusty):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
importance: Undecided → Medium
status: New → In Progress
Changed in ca-certificates (Ubuntu Xenial):
importance: Undecided → Medium
Changed in debian-installer (Ubuntu Xenial):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
status: New → In Progress
Changed in debian-installer (Ubuntu Trusty):
assignee: nobody → Mauricio Faria de Oliveira (mfo)
status: New → In Progress
Dan Streetman (ddstreet) wrote :

Marked ca-certificates for b/c/d as Invalid - it does not need an upload, only archive twiddling to move its component.

For t/x, ca-certificates does need the patches @mfo attached to actually generate the -udeb binary pkg.

Please nobody sponsor this bug - @slashd or I will handle the sruing.

Hello Mauricio, or anyone else affected,

Accepted debian-installer into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu557.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in debian-installer (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Adam Conrad (adconrad) wrote :

Hello Mauricio, or anyone else affected,

Accepted debian-installer into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu543.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in debian-installer (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Changed in debian-installer (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu560

---------------
debian-installer (20101020ubuntu560) disco; urgency=medium

  [ Mauricio Faria de Oliveira ]
  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023) (closes: #842040)

 -- Dan Streetman <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Changed in debian-installer (Ubuntu Disco):
status: Fix Committed → Fix Released

Verification :: bionic-proposed
-------------------------------

Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/bionic-proposed/main/installer-amd64/20101020ubuntu543.4/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name bionic \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
bionic

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu543.4

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:33:24-- https://github.com/
...
Saving to: 'index.html'
...

Verification :: cosmic-proposed
-------------------------------

Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/cosmic-proposed/main/installer-amd64/20101020ubuntu557.1/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name cosmic \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
cosmic

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu557.1

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:39:52-- https://github.com/
...
Saving to: 'index.html'
...

Verification :: disco-proposed
-------------------------------

Okay, not strictly required as not yet a Stable Release, but doing anyway.
Successful.

$ wget http://archive.ubuntu.com/ubuntu/dists/disco-proposed/main/installer-amd64/20101020ubuntu560/images/netboot/ubuntu-installer/amd64/{linux,initrd.gz}

$ virt-install \
  --name disco \
  --vcpus 2 \
  --memory 512 \
  --disk size=4,bus=virtio,format=qcow2 \
  --network user,model=virtio \
  --graphics none \
  --import \
  --boot kernel=linux,initrd=initrd.gz,kernel_args='console=ttyS0 ipv6.disable=1 auto=true hostname=ubuntu'

Wait until dialog.
Exit to shell.

~ # cat /etc/default-release
disco

~ # sed -n '/^Package: debian-installer/,/^Version:/p' /var/lib/dpkg/status
Package: debian-installer
Status: install ok installed
Version: netboot-20101020ubuntu560

~ # ls -d /usr/lib/ssl/certs/
/usr/lib/ssl/certs/

~ # wget http://github.com
...
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-07 20:42:20-- https://github.com/
...
Saving to: 'index.html'

tags: added: verification-done verification-done-bionic verification-done-cosmic
removed: verification-needed verification-needed-bionic verification-needed-cosmic
Changed in debian-installer:
status: Unknown → Fix Released
Łukasz Zemczak (sil2100) wrote :

Hello Mauricio, or anyone else affected,

Accepted debian-installer into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu451.27 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in debian-installer (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done
Changed in debian-installer (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Łukasz Zemczak (sil2100) wrote :

Hello Mauricio, or anyone else affected,

Accepted debian-installer into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu318.45 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Łukasz Zemczak (sil2100) wrote :

Hello Mauricio, or anyone else affected,

Accepted ca-certificates into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ca-certificates/20170717~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ca-certificates (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in ca-certificates (Ubuntu Trusty):
status: In Progress → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Mauricio, or anyone else affected,

Accepted ca-certificates into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ca-certificates/20170717~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The verification of the Stable Release Update for debian-installer has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu543.4

---------------
debian-installer (20101020ubuntu543.4) bionic; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Changed in debian-installer (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu557.1

---------------
debian-installer (20101020ubuntu557.1) cosmic; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Changed in debian-installer (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Dan Streetman (ddstreet) wrote :

autopkgtest failure notes:

glib-networking fails for trusty, but it failed exactly the same way in the last auotpkgtest run, which was from 2017. Appears to be broken test case and should be ignored for this sru.

snapd fails for xenial, but it's failed for the last 2+ months. The tests for it are clearly broken and should be ignored for this sru.

Dan Streetman (ddstreet) wrote :

trusty verification:

reproduce bug:
1) get the debian-installer source version 20101020ubuntu318.44 and extract
2) in the source cd build/
3) make build_netboot
4) cd dest/netboot/ubuntu-installer/amd64
5) run steps from comment 1
6) verify wget from github.com fails due to https certificate:

~ # wget http://github.com
--2018-12-19 20:04:55-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:04:55-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

verify fix is same steps except with debian-installer version 20101020ubuntu318.45

step #6 passes:

~ # wget github.com
--2018-12-19 20:09:44-- http://github.com/
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:09:44-- https://github.com/
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

    [ <=> ] 80,096 --.-K/s in 0.04s

2018-12-19 20:09:44 (1.77 MB/s) - 'index.html' saved [80096]

tags: added: verification-done-trusty
removed: verification-needed-trusty
Dan Streetman (ddstreet) wrote :

xenial:

same steps as last comment.

reproduction using d-i version 20101020ubuntu451.26

~ # wget http://github.com/
--2018-12-19 20:15:36-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:15:36-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

verification of fix using d-i version 20101020ubuntu451.27

~ # wget http://github.com/
--2018-12-19 20:18:37-- http://github.com/
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2018-12-19 20:18:37-- https://github.com/
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html [ <=> ] 78.22K --.-KB/s in 0.04s

2018-12-19 20:18:37 (1.82 MB/s) - 'index.html' saved [80096]

tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification-done
removed: verification-needed
tags: removed: sts-sponsor sts-sponsor-ddstreet
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20170717~16.04.2

---------------
ca-certificates (20170717~16.04.2) xenial; urgency=medium

  * Add ca-certificates udeb package (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Thu, 06 Dec 2018 16:20:55 -0200

Changed in ca-certificates (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu451.27

---------------
debian-installer (20101020ubuntu451.27) xenial; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Changed in debian-installer (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20170717~14.04.2

---------------
ca-certificates (20170717~14.04.2) trusty; urgency=medium

  * Add ca-certificates udeb package (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Thu, 06 Dec 2018 16:20:55 -0200

Changed in ca-certificates (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu318.45

---------------
debian-installer (20101020ubuntu318.45) trusty; urgency=medium

  * build/pkg-lists/base: add ca-certificates-udeb to enable HTTPS
    without d-i/allow_unauthenticated_ssl in stock initramfs image
    as in Debian. (LP: #1807023)

 -- Mauricio Faria de Oliveira <email address hidden> Mon, 26 Nov 2018 16:49:46 -0200

Changed in debian-installer (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.