How to use/debug Debian preseed with SSL using Startssl Certs

Question

preseeding work perfect for me using:

auto url=http://mydomain.com/preseed.cfg

but as soon as i use a https connection, it doesn't work any more.

auto url=https://mydomain.com/preseed.cfg

with wget i can download the preseed file without a problem, with lynx i get an

"SSL-Error:no issuer was found"

so it looks like a cert problem, i use startssl.com to generate my free certs, nginx acts as ssl webserver (no problem accessing the https site with firefox).

how to debug this? how to force to get the file over the ssl connection?

http://security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html Run A Test Client can help to debug a little, but its not the answer to my question, i am interested in how to get access to the logfile of what happen while preseeding and which tool is used to load the preseed file. — c33s, Nov 28 '11 at 06:54

score 4 · Accepted Answer · edited Jul 24 '12 at 20:39

4

The problem is that the wget from busybox is not compiled to support SSL. And there are no Certificate Authorities stored in d-i (so it really can't validate the server certificate).

The solution would be to add real wget into the initrd and add a trusted Certificate Authority.

edited Jul 24 '12 at 20:39

bahamat

6,193
23
28

answered Jul 24 '12 at 17:37

alekibango

56
2

2

i am using the regular debian business card install cd, as far as i understand, there is no way to come around this issue without rebuilding my own cd. or is there an easy way to come around this issue? – c33s Jul 25 '12 at 08:36

score 3 · Answer 2 · answered Sep 09 '17 at 07:48

@alekibango and @bahamat are correct, wget from busybox is not compiled to support SSL. But as of 2014, you can enable the --no-check-certificate parameter via the boot parameter:

debian-installer/allow_unauthenticated_ssl=true

I had to do this for Ubuntu 16.04 Xenial.

I found this information at: https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/833994#yui_3_10_3_1_1504942623880_1343

score 0 · Answer 3 · answered Jun 14 '16 at 23:52

0

While @alekibango has posted what I believe to be the correct answer, I also wanted to make it known that you can also reference the file with ftp. I was able to overcome my personal https needs by making the preseed available through an ftp redirect.

answered Jun 14 '16 at 23:52

Mark

103
5

1

as ftp is unencrypted this don't really help. then i can stick with http. – c33s Jun 16 '16 at 14:39
It just may be a case where a user couldn't use port 80 so I wanted to make reference to the ftp option. – Mark Jun 28 '16 at 00:23

How to use/debug Debian preseed with SSL using Startssl Certs

3 Answers3