|
Size: 3456
Comment: git in jessie sucks to
|
Size: 3597
Comment: wget is busted in jessie too
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 46: | Line 46: |
| === wget === git from Debian jessie requires the path or bundle: {{{ dir=/etc/ssl/ca-debian test -d $dir && capath="--ca-directory $dir" wget $capath }}} |
|
| Line 48: | Line 58: |
| git from Debian jessie requires the bundle: /!\ Note that http.sslCAPath does not seem to work. |
git from Debian jessie requires the bundle (path does not seem to work). |
Machines administered by DSA have a custom setup for SSL verification that was announced in 2015.
By default, DSA-administered machines do not trust any CA certs and only contain SSL certs for debian.org services.
Some software is unable to verify debian.org service certs without the CA cert being present and trusted. For such software, DSA has provided /etc/ssl/ca-debian as a workaround. Please file bugs on any software that needs the workaround, using these usertags:
User: debian-admin@lists.debian.org Usertags: needed-by-DSA-Team ssl
Some services need to verify the SSL certs of arbitrary services on the Internet that could change their SSL provider at any point in time. For such software, DSA has provided /etc/ssl/ca-global, which contains all the certs trusted by ca-certificates.
Contents
/etc/ssl/certs
wget is known to work with the debian.org service certs present in /etc/ssl/certs on debian.org machines.
/etc/ssl/ca-debian
The following software is unable to verify service certs without the CA cert being present and trusted. Known workarounds for these issues are available below, please add any more that are needed. If your service needs to add one of these workarounds, please mention it in the users section below.
apt
apt from Debian jessie requires the bundle rather than the directory:
Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/ca-debian/ca-certificates.crt";
apt from Debian wheezy should be able to use the service cert directly:
Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";
curl
dir=/etc/ssl/ca-debian test -d $dir && capath="--capath $dir" curl $capath
wget
git from Debian jessie requires the path or bundle:
dir=/etc/ssl/ca-debian test -d $dir && capath="--ca-directory $dir" wget $capath
git
git from Debian jessie requires the bundle (path does not seem to work).
dir=/etc/ssl/ca-debian test -d $dir && git config --local --add http.sslCAInfo $dir/ca-certificates.crt
git from Debian wheezy should be able to use the service cert directly:
LWP
my $ca_dir = '/etc/ssl/ca-debian';
$ENV{HTTPS_CA_DIR} = $ca_dir if -d $ca_dir;
python-requests
bundle=/etc/ssl/ca-debian/ca-certificates.crt
if os.path.exists(bundle):
requests.get('https://www.debian.org/', verify=bundle)
else:
requests.get('https://www.debian.org/')Or in the shell wrapper for the Python script:
dir=/etc/ssl/ca-debian test -d $dir && REQUESTS_CA_BUNDLE=$dir/ca-certificates.crt
rt-mailgate
rt-mailgate requires the bundle rather than the dir:
dir=/etc/ssl/ca-debian test -d $dir && cafile="--ca-file $dir/ca-certificates.crt " /usr/bin/rt-mailgate ... $cafile
users
- buildd apt
- rt-mailgate
- nagios dsa-check-mirrorsync
PTS -> BTS SOAP calls
- the l10n stuff
- vote stuff
- webwml (english/mirror/arch_size.pl, english/devel/wnpp/wnpp.pl)
- contributors.d.o submitters: wiki, ftp-master, nm, spamreview
/etc/ssl/ca-global
If your service needs this directory, you can adapt the ca-debian workarounds for this purpose and please mention your service in the users section below.
users
- PTS update_incoming.sh downloader
- vcswatch
- webwml
- ieee-data
- rtc stuff
- secteam nvd download