Differences between revisions 3 and 4
Revision 3 as of 2015-03-09 17:12:47
Size: 2550
Editor: EnricoZini
Comment: Fixed curl syntax
Revision 4 as of 2015-03-09 17:31:15
Size: 2912
Editor: PaulWise
Comment: apt workaround
Deletions are marked like this. Additions are marked like this.
Line 21: Line 21:

=== apt ===

apt from Debian jessie requires the bundle rather than the directory:

{{{
Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/ca-debian/ca-certificates.crt";
}}}

apt from Debian wheezy should be able to use the service cert directly:

{{{
Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";
}}}

Machines administered by DSA have a custom setup for SSL verification that was announced in 2015.

By default, DSA-administered machines do not trust any CA certs and only contain SSL certs for debian.org services.

Some software is unable to verify debian.org service certs without the CA cert being present and trusted. For such software, DSA has provided /etc/ssl/ca-debian as a workaround. Please file bugs on any software that needs the workaround, using these usertags: 

User: debian-admin@lists.debian.org
Usertags: needed-by-DSA-Team ssl

Some services need to verify the SSL certs of arbitrary services on the Internet that could change their SSL provider at any point in time. For such software, DSA has provided /etc/ssl/ca-global, which contains all the certs trusted by ca-certificates.

/etc/ssl/certs

wget is known to work with the debian.org service certs present in /etc/ssl/certs on debian.org machines.

/etc/ssl/ca-debian

The following software is unable to verify service certs without the CA cert being present and trusted. Known workarounds for these issues are available below, please add any more that are needed. If your service needs to add one of these workarounds, please mention it in the users section below.

apt

apt from Debian jessie requires the bundle rather than the directory: 

Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/ca-debian/ca-certificates.crt";

apt from Debian wheezy should be able to use the service cert directly: 

Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";

curl

dir=/etc/ssl/ca-debian
test -d $dir && capath="--capath $dir"
curl $capath

LWP

my $ca_dir = '/etc/ssl/ca-debian';
$ENV{HTTPS_CA_DIR} = $ca_dir if -d $ca_dir;

python-requests

bundle=/etc/ssl/ca-debian/ca-certificates.crt
if os.path.exists(bundle):
  requests.get('https://www.debian.org/', verify=bundle)
else:
  requests.get('https://www.debian.org/')

Or in the shell wrapper for the Python script: 

dir=/etc/ssl/ca-debian
test -d $dir && REQUESTS_CA_BUNDLE=$dir/ca-certificates.crt

users

  • buildd apt
  • rt-mailgate
  • nagios dsa-check-mirrorsync

  • PTS -> BTS SOAP calls

  • the l10n stuff
  • vote stuff
  • webwml (english/mirror/arch_size.pl, english/devel/wnpp/wnpp.pl)
  • contributors.d.o submitters: wiki, ftp-master, nm, spamreview

/etc/ssl/ca-global

If your service needs this directory, you can adapt the ca-debian workarounds for this purpose and please mention your service in the users section below.

users

  • PTS update_incoming.sh downloader
  • vcswatch
  • webwml
  • ieee-data
  • rtc stuff
  • secteam nvd download