#784811 d-i.debian.org: rmadison on dillon fails because of certificate checks

#784811#5
Date:
2015-05-09 02:26:07 UTC
From:
To:
With the current setup on dillon, one needs to point https tools to the
right ca-file (/etc/ssl/ca-debian/ca-certificates.crt) and/or ca-path
(/etc/ssl/ca-debian). Unfortunately rmadison doesn't offer such options
for the time being and we get this:
| d-i@dillon:~/trunk/scripts$ rmadison linux
| debian:
| curl: (60) SSL certificate problem: unable to get local issuer certificate
| More details here: http://curl.haxx.se/docs/sslcerts.html
|
| curl performs SSL certificate verification by default, using a "bundle"
|  of Certificate Authority (CA) public keys (CA certs). If the default
|  bundle file isn't adequate, you can specify an alternate file
|  using the --cacert option.
| If this HTTPS server uses a certificate signed by a CA represented in
|  the bundle, the certificate verification probably failed due to a
|  problem with the certificate (it might be expired, or the name might
|  not match the domain name in the URL).
| If you'd like to turn off curl's verification of the certificate, use
|  the -k (or --insecure) option.
| new:
| curl: (60) SSL certificate problem: unable to get local issuer certificate
| More details here: http://curl.haxx.se/docs/sslcerts.html
|
| curl performs SSL certificate verification by default, using a "bundle"
|  of Certificate Authority (CA) public keys (CA certs). If the default
|  bundle file isn't adequate, you can specify an alternate file
|  using the --cacert option.
| If this HTTPS server uses a certificate signed by a CA represented in
|  the bundle, the certificate verification probably failed due to a
|  problem with the certificate (it might be expired, or the name might
|  not match the domain name in the URL).
| If you'd like to turn off curl's verification of the certificate, use
|  the -k (or --insecure) option.

I've crafted a patch and I'll block this bug report with it; I might set
up some workaround until this is resolved in a proper way.

Mraw,
KiBi.

#784811#12
Date:
2015-05-09 03:02:07 UTC
From:
To:
Cyril Brulebois <kibi@debian.org> (2015-05-09):

Local changes in dillon include:
 - mailing kibi@d.o instead of debian-boot@, because debugging and other
   annoyances listed as d-i.debian.org bug reports; I don't want more
   junk to be sent to the list.
 - hardcoded paths in an additional $ua->ssl_opts(…) call, because
   rmadison isn't the only one which needs to be told about the CA path.
 - calling ./rmadison instead of /usr/bin/rmadison, so that #784812
   isn't a blocker.

Mraw,
KiBi.

#784811#17
Date:
2023-09-09 16:50:40 UTC
From:
To:
For the record, #784812 was resolved a couple of months after the
above.

All debian.org hosts should also now be able to run tools such as
rmadison without needing any special configuration.

I'm not closing the bug, as it's not clear to me from the above whether
there are changes which might want to be reverted on the d-i.d.o side.

Regards,

Adam