[Bug 1807023] Please test proposed package

Łukasz Zemczak 1807023 at bugs.launchpad.net
Thu Dec 13 14:04:33 UTC 2018 

Hello Mauricio, or anyone else affected,

Accepted debian-installer into trusty-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/debian-
installer/20101020ubuntu318.45 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1807023

Title:
  installer stock images fail to validate any HTTPS certificates (ca-
  certificates missing)

Status in debian-installer:
  Fix Released
Status in ca-certificates package in Ubuntu:
  Invalid
Status in debian-installer package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Trusty:
  In Progress
Status in debian-installer source package in Trusty:
  Fix Committed
Status in ca-certificates source package in Xenial:
  In Progress
Status in debian-installer source package in Xenial:
  Fix Committed
Status in ca-certificates source package in Bionic:
  Invalid
Status in debian-installer source package in Bionic:
  Fix Committed
Status in ca-certificates source package in Cosmic:
  Invalid
Status in debian-installer source package in Cosmic:
  Fix Committed
Status in ca-certificates source package in Disco:
  Invalid
Status in debian-installer source package in Disco:
  Fix Released
Status in debian-installer package in Debian:
  Fix Released

Bug description:
  [Impact]

   * The installer stock images fail to validate any HTTPS
     certificates because ca-certificates is not available
     in the installer environment.

   * This causes wget/download errors for preseed files on
     HTTPS servers (or HTTP servers that redirect to HTTPS,
     which are increasingly common nowadays - e.g., GitHub)
     and theoretically any other files that are downloaded
     with d-i-utils/fetch-url/wget.

   * The fix is to ship ca-certificates-udeb in installer
     stock images.

   * Debian already ships ca-certificate-udeb in the stock
     installer images; the fix is applied since Jan 2017.
     (reference: Debian Bug #842040 / d-i commit 2f00c51a [1])

  [Test Case]

   * In the installer shell:

     ~ # wget http://github.com  # or https://github.com

     - FAIL if ca-certificates-udeb is missing:
       "ERROR: cannot verify github.com's certificate, <...>'

     - PASS if ca-certificates-udeb is available
       "Saving to: 'index.html'"

   * Test steps with virt-install and netboot images
     are provided in the comments, for each release.

  [Regression Potential]

   * Low. This just adds the ca-certificates files in
     /etc/ssl/certs and symlink in /usr/lib/ssl/certs,
     so only tools looking for that would be affected.

   * Apparently only wget checks for/uses those files,
     and the difference in behavior is download errors
     no longer occur.

  [Notes]

   * The ca-certificates-udeb is not currently present
     in the Ubuntu 'main' component, but in 'universe',
     despite the normal deb being in 'main'.

     However, when rebuilding in a PPA it goes into
     'main' accordingly, and can be used by default
     by debian-installer (otherwise, UDEB_COMPONENTS
     has to be modified to include universe/d-i).

   * So this fix includes a no-change-rebuild for the
     ca-certificates package, in order to publish the
     udeb in the archive (at least in PPA for testing).

     Hopefully that can be sorted out for this fix
     to work out.

   * The ca-certificates and debian-installer builds
     have been done in a PPA using all architectures,
     and testing has been done with the amd64 images.

   * This fix is requested for Bionic, Cosmic, Disco
     at least.

   * The fix for Trusty and Xenial needed a little
     bit more work to build/ship the (new) udeb.
     (reference: Debian Bug #845456 / ca-certificates commit 3acb3a90 [2])

     It would be good to have them too if at all possible.

  [1] https://salsa.debian.org/installer-team/debian-installer/commit/2f00c51a7ead982ae1cd71bee06c8416890196b6
  [2] https://salsa.debian.org/debian/ca-certificates/commit/3acb3a9042a00307ba35d10052d81cdc206c34a4

  [Debugging]

  For debugging purposes, one can install strace-udeb in the installer
  to verify wget's stat() calls to /usr/lib/ssl/certs.

  ~ # anna-install strace-udeb

  ~ # strace -e stat wget -O- https://github.com >/dev/null
  ...
  Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
  140.82.118.3, 140.82.118.4
  Connecting to github.com|140.82.118.3|:443... connected.
  stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", 0x7ffdba51b570) = -1 ENOENT (No such file or directory)
  ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
    Unable to locally verify the issuer's authority.
  To connect to github.com insecurely, use `--no-check-certificate'.
  +++ exited with 5 +++
  ~ #

  ~ # anna-install ca-certificates-udeb  # not in archive yet.
  unknown udeb ca-certificates-udeb

  ~ # wget --no-check-certificate
  https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates-
  udeb_20180409_all.udeb

  ~ # udpkg -i ca-certificates-udeb_20180409_all.udeb

  ~ # strace -e stat wget -O- https://github.com >/dev/null
  ...
  Resolving github.com... stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
  140.82.118.3, 140.82.118.4
  Connecting to github.com|140.82.118.3|:443... connected.
  stat("/usr/lib/ssl/certs/45bfefc3.0", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
  stat("/usr/lib/ssl/certs/244b5494.0", {st_mode=S_IFREG|0644, st_size=1367, ...}) = 0
  stat("/usr/lib/ssl/certs/244b5494.1", 0x7fffbb9431c0) = -1 ENOENT (No such file or directory)
  HTTP request sent, awaiting response... 200 OK
  stat("-", 0x7fffbb943558)               = -1 ENOENT (No such file or directory)
  Length: unspecified [text/html]
  Saving to: 'STDOUT'
  ...
  +++ exited with 0 +++

To manage notifications about this bug go to:
https://bugs.launchpad.net/debian-installer/+bug/1807023/+subscriptions

More information about the foundations-bugs mailing list