Re: pkg/58273: pkgin cannot download repo index over SSL in default install

[2857%gmx.de@localhost]

The following reply was made to PR pkg/58273; it has been noted by GNATS.

From: 2857%gmx.de@localhost
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: pkg/58273: pkgin cannot download repo index over SSL in default
 install
Date: Thu, 23 May 2024 23:56:28 +0200

 Hi,
 
 Thank you for the detailed debug steps. Sadly I couldn't reproduce this
 exact issue, but after pkgin was installed, I chose to get pkgsrc
 archive from the installer menu, and that failed. I have extracted the
 logs, you can get them via
 
 wget -qO- https://bpa.st/download/KPHA | base64 -d | tar -xvz
 
 You can see it tries to unpack tar archive which's corrupted (failed
 download?). I then hit ^C and installer has marked that menu item as
 "Abandoned". After rebooting the machine, I've went to check the certs,
 and they were installed:
 
 # cd /etc/openssl/certs && wc -l
 294
 
 I've installed wget over https and it worked, so certs are good. I've
 then downloaded pkgsrc tarball over https and it also worked.
 
 I also noticed that `certctl rehash' happened right before entering
 "final" installer menu, before prompting to install pkgin and friends.
 
 I will try to reproduce it again, but my idea is that pkgin failed to
 install the same way pkgsrc archive did. No idea about what went wrong
 with certs.
 
 Thanks!
 
 
 
 On 22.05.24 20:10, Taylor R Campbell wrote:
 > The following reply was made to PR pkg/58273; it has been noted by GNATS=
 .
 >
 > From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 > To: zip100 <2857%gmx.de@localhost>
 > Cc: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
 > Subject: Re: pkg/58273: pkgin cannot download repo index over SSL in def=
 ault install
 > Date: Wed, 22 May 2024 18:08:53 +0000
 >
 >   > I've picked an option to add pkgin during the install, but that
 >   > didn't work, [...]
 >
 >   What does `that didn't work' mean?  What was the symptom?
 >
 >   > it seems to me that root certs are missing in default install and
 >   > thus even NetBSD mirrors are affected.
 >
 >   This is probably what happened, but it's not clear why it happened.
 >
 >   The mozilla-rootcerts-openssl package should no longer be necessary as
 >   of 10.  If you delete it and run `certctl list', that will tell you
 >   what root certs NetBSD thinks should be configured in
 >   /etc/openssl/certs, and `certctl rehash' will clear out
 >   /etc/openssl/certs and repopulate it to make it so.
 >
 >   If you have more time, can you:
 >
 >   1. boot the installer in a fresh VM,
 >   2. enter the utility menu and enable logging and scripting,
 >   3. otherwise run through the same installation procedure again, and
 >   4. reproduce the pkgin failure?
 >
 >   If so, can you break into a shell (hit ^Z or go into the utility menu
 >   and start a shell) and share /tmp/sysinst.log and /tmp/sysinst.sh?
 >   (E.g., transmit them with nc(1) to another host.)
 >
 >   Once you've done all that, can you:
 >
 >   5. reboot into the fresh installation,
 >   6. check whether pkg_add and pkgin work with https,
 >   7. check whether `ls /etc/openssl/certs' is empty,
 >   8. run `certctl rehash', and
 >   9. check again whether whether pkg_add and pkgin work with https, and
 >   10. check again wehther `ls /etc/openssl/certs' is empty?
 >
 >   > Maybe they're installed as some dependencies of X set, that's why
 >   > it's not always triggered in a console install.
 >
 >   The certificates are in the base set, and they are always configured
 >   in /etc/openssl/certs when extracting sets during installation.
 >