On 11/23/2016 05:17 PM, Philipp Kern wrote: > In an effort to make HTTPS usable in the installer (e.g. to fetch > preseed, authorized_keys files, or packages) ca-certificates needs to > add a udeb with the certificates. The result has to be usable by > openssl, which requires that c_rehash has been run on the directory. > Unfortunately c_rehash is a Perl script that requires the openssl binary > to run, so it's not suitable to run in the installer environment. > > Please find attached a patch that a) adds a ca-certificates-udeb > package, b) installs all off Mozilla's certificates into /etc/ssl/certs > and c) runs c_rehash on the resulting directory during build. I needed > to rename dirs, postinst and postrm. Hence there are two patch files for > clarity: one in unified format and one in git diff format. > > I'd be nice to have this in Stretch. Not having the certificates > available blocked inclusion of a HTTPS-capable wget altogether.
One follow-up patch is needed here to make openssl pick up the certs.
/usr/lib/ssl/certs is the default search path compiled into openssl. On
a plain Debian system a symlink from /usr/lib/ssl/certs to
/etc/ssl/certs is shipped in the "openssl" binary package, but in the
installer environment we don't have that and shipping it in libssl's
udeb would be inconvenient.
--- /dev/null
+++ b/debian/ca-certificates-udeb.links
@@ -0,0 +1 @@
+etc/ssl/certs usr/lib/ssl/certs
--- a/debian/rules
+++ b/debian/rules
@@ -66,6 +66,7 @@ install: build
binary-indep: build install
dh_testdir
dh_testroot
+ dh_link
dh_installdebconf -n
dh_installdocs
dh_installexamples
With this addition to ca-certificates-udeb and with it and wget-udeb
included into the installer image, fetches via HTTPS work for me.
Kind regards and thanks
Philipp Kern
signature.asc
Description: OpenPGP digital signature
