Re: pkg/58273: pkgin cannot download repo index over SSL in default install

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> I've picked an option to add pkgin during the install, but that
> didn't work, [...]

What does `that didn't work' mean?  What was the symptom?

> it seems to me that root certs are missing in default install and
> thus even NetBSD mirrors are affected.

This is probably what happened, but it's not clear why it happened.

The mozilla-rootcerts-openssl package should no longer be necessary as
of 10.  If you delete it and run `certctl list', that will tell you
what root certs NetBSD thinks should be configured in
/etc/openssl/certs, and `certctl rehash' will clear out
/etc/openssl/certs and repopulate it to make it so.

If you have more time, can you:

1. boot the installer in a fresh VM,
2. enter the utility menu and enable logging and scripting,
3. otherwise run through the same installation procedure again, and
4. reproduce the pkgin failure?

If so, can you break into a shell (hit ^Z or go into the utility menu
and start a shell) and share /tmp/sysinst.log and /tmp/sysinst.sh?
(E.g., transmit them with nc(1) to another host.)

Once you've done all that, can you:

5. reboot into the fresh installation,
6. check whether pkg_add and pkgin work with https,
7. check whether `ls /etc/openssl/certs' is empty,
8. run `certctl rehash', and
9. check again whether whether pkg_add and pkgin work with https, and
10. check again wehther `ls /etc/openssl/certs' is empty?

> Maybe they're installed as some dependencies of X set, that's why
> it's not always triggered in a console install.

The certificates are in the base set, and they are always configured
in /etc/openssl/certs when extracting sets during installation.