* The installer stock images fail to validate any HTTPS
certificates because ca-certificates is not available
in the installer environment.
* This causes wget/download errors for preseed files on
HTTPS servers (or HTTP servers that redirect to HTTPS,
which are increasingly common nowadays - e.g., GitHub)
and theoretically any other files that are downloaded
with d-i-utils/fetch-url/wget.
* The fix is to ship ca-certificates-udeb in installer
stock images.
* Debian already ships ca-certificate-udeb in the stock
installer images; the fix is applied since Jan 2017.
(reference: Debian Bug #842040 / d-i commit 2f00c51a [1])
- FAIL if ca-certificates-udeb is missing:
"ERROR: cannot verify github.com's certificate, <...>'
- PASS if ca-certificates-udeb is available
"Saving to: 'index.html'"
* Test steps with virt-install and netboot images
are provided in the comments, for each release.
[Regression Potential]
* Low. This just adds the ca-certificates files in
/etc/ssl/certs and symlink in /usr/lib/ssl/certs,
so only tools looking for that would be affected.
* Apparently only wget checks for/uses those files,
and the difference in behavior is download errors
no longer occur.
[Notes]
* The ca-certificates-udeb is not currently present
in the Ubuntu archive despite being available for
download in Launchpad with a link for some reason
(perhaps a problem during import from Debian/sid?)
* So this fix includes a no-change-rebuild for the
ca-certificates package, in order to publish the
udeb in the archive.
* The ca-certificates and debian-installer builds
have been done in a PPA using all architectures,
and testing has been done with the amd64 images.
* This fix is request for Bionic, Cosmic, Disco.
The older releases (Trusty, Xenial) are affected,
but not requested for, and would need more work,
as the udeb is not yet in the packaging but that
is doable if required for the process.
[Impact]
* The installer stock images fail to validate any HTTPS
certificates because ca-certificates is not available
in the installer environment.
* This causes wget/download errors for preseed files on fetch-url/ wget.
HTTPS servers (or HTTP servers that redirect to HTTPS,
which are increasingly common nowadays - e.g., GitHub)
and theoretically any other files that are downloaded
with d-i-utils/
* The fix is to ship ca-certificates -udeb in installer
stock images.
* Debian already ships ca-certificate-udeb in the stock
installer images; the fix is applied since Jan 2017.
(reference: Debian Bug #842040 / d-i commit 2f00c51a [1])
[Test Case]
* In the installer shell:
~ # wget http:// github. com # or https:/ /github. com
- FAIL if ca-certificates -udeb is missing:
"ERROR: cannot verify github.com's certificate, <...>'
- PASS if ca-certificates -udeb is available
"Saving to: 'index.html'"
* Test steps with virt-install and netboot images
are provided in the comments, for each release.
[Regression Potential]
* Low. This just adds the ca-certificates files in
/etc/ssl/certs and symlink in /usr/lib/ssl/certs,
so only tools looking for that would be affected.
* Apparently only wget checks for/uses those files,
and the difference in behavior is download errors
no longer occur.
[Notes]
* The ca-certificates -udeb is not currently present
in the Ubuntu archive despite being available for
download in Launchpad with a link for some reason
(perhaps a problem during import from Debian/sid?)
* So this fix includes a no-change-rebuild for the
ca-certificates package, in order to publish the
udeb in the archive.
* The ca-certificates and debian-installer builds
have been done in a PPA using all architectures,
and testing has been done with the amd64 images.
* This fix is request for Bionic, Cosmic, Disco.
The older releases (Trusty, Xenial) are affected,
but not requested for, and would need more work,
as the udeb is not yet in the packaging but that
is doable if required for the process.
[1] https:/ /salsa. debian. org/installer- team/debian- installer/ commit/ 2f00c51a7ead982 ae1cd71bee06c84 16890196b6