Hello Cyril, Thank you for your reply.
> Which mirror? If its certificate has been emitted by one of the usual > CAs (see the ca-certificates package[1]), I don't think you should be > getting any trust issue. > > 1. https://tracker.debian.org/pkg/ca-certificates Fastly mirror by using deb.debian.org Sorry, I did not specify on my previous message, on syslog log during the netinst, we can see an issue about certificate. The error message : Certificate verification failed. The certificate is NOT trusted. I think ca-certificate is not loaded/used. For me it's an issue about missing root certificate. I tested with your suggestion to use mirror/protocol=https in command line and it works fine :). I try again without mirror/protocol=https and the issue reappears To reproduce the issue : - Start Debian netinst - Use Graphical expert installation mode - At the step " configure the package manager" chose https. - Use default option Thie issue should be reproductible. Could you try ? Note : To avoid doubt, I use ISO as you listed. (it was this iso previously used) > For the avoidance of doubt, this matches this specific ISO: > > https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso Thanks Sylvain Le mar. 25 mai 2021 à 01:23, Cyril Brulebois <k...@debian.org> a écrit : > > Hi Sylvain, > > Sylvain Tgz <tarjaiz...@gmail.com> (2021-05-24): > > I just tested the netinst image. > > > > I tried to use a https mirror but it did not work. > > > > The "F4 console" display an issue about untrusted certificate. > > Which mirror? If its certificate has been emitted by one of the usual > CAs (see the ca-certificates package[1]), I don't think you should be > getting any trust issue. > > 1. https://tracker.debian.org/pkg/ca-certificates > > The last upload of this package is dated 2021-01-19, migration to > testing 5 days later, and it's included in D-I Bullseye RC 1, which I've > tested successfully against an HTTPS mirror, so the basics should be > good, unless some other component broke in the meanwhile. > > Is the clock set up properly on that machine? Besides not having the > right CA(s) configured, an offset of the clock side can lead to trust > issue as well (certificate not yet valid or already expired). > > > I don't think this is an intended behavior, I'm wrong ? If I'm wrong, > > what would be the solution to use an HTTPS mirror ? I tried to find > > information from documentation without success. I rarely use the > > netinst image (i'm a debootstrap addict :)), maybe I am missing some > > information, if this is the case, I apologize in advance, please, > > close this issue. > > There's nothing wrong with reporting a possible issue, don't worry. > > For my regular installation tests, I'm tweaking the kernel command line > before starting the installation process. There might be better ways, > I've just been using that for so long that I didn't perform any research > lately. :D > > Setting this is sufficient: > > mirror/protocol=https > > You'd probably get to the mirror selection stage with the “manual > setting” choice set and deb.debian.org as hostname and /debian as > directory. You can deviate from those in that particular screen, or you > can also preseed those settings with those variables, also on the kernel > command line: > > mirror/https/hostname=deb.debian.org > mirror/https/directory=/debian > > As usual, use space as a separator between each parameter passed on the > kernel command line. > > > Image used : weekly-builds > > debian-testing-amd64-netinst.iso 2021-05-24 06:10 377M > > sha512sum > > 28fbb57d329c919933feeaebf24f5767b9c6926aa27a407fd060fc9afebb9f8d2ff5dcc530589f58e2e1fe3f26c5e73b31a73f9357b501e31f12e1c9cc44de4c > > For the avoidance of doubt, this matches this specific ISO: > > https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso > > And I've just tested an installation successfully by setting: > > mirror/protocol=https > > then using mostly default choices. > > > Cheers, > -- > Cyril Brulebois (k...@debian.org) <https://debamax.com/> > D-I release manager -- Release team member -- Freelance Consultant
