Hi - I'm trying to get apt-get to work over https. I built apt 0.7.2
from debian unstable source so that I could have apt-transport-https
too. At build-time, I had libcurl3-openssl-dev installed as a binary
package from debian stable. I had to edit apt's debian/control file to
allow me to use that as its build depend instead of
libcurl-gnutls-dev.

curl-config --features reports that SSL is enabled as a feature on my client.

I have an SSL certificate on my HTTPS host that is not signed by any
authority, but I grabbed and installed the private key and certificate
from the server (/etc/apache2/ssl/apache.pem), and as suggested on
http://curl.netmirror.org/docs/sslcerts.html installed it on the
client in this location: /usr/local/share/curl/curl-ca-bundle.crt

I was hoping this would be sufficient for libcurl to find my
certificates when run from apt-transport-https

I verified that the certificate bundle works by testing it with wget
--ca-certificate=/usr/local/share/curl/curl-ca-bundle.crt
wget successfully can grab files over SSL now.

I'm not sure if my question is related to apt or libcurl now.
Where should I put / how should I install these certificates so that
when apt-get runs over libcurl, it finds this certificate/key pair?

The observable behavior is rather strange, apt-get update fails like this:

$ apt-get update
Get:1 https://update.domain.com stable/ Release.gpg [189B]
Get:2 https://update.domain.com stable/ Translation-en_US [189B]
Ign https://update.domain.com stable/ Translation-en_US
Ign https://update.domain.com stable/ Release
Ign https://update.domain.com stable/ Packages/DiffIndex
Ign https://update.domain.com stable/ Packages
Err https://update.domain.com stable/ Packages
  transfer closed with outstanding read data remaining
Fetched 189B in 9s (21B/s)
Failed to fetch https://update.domain.com/stable/Packages.gz transfer
closed with outstanding read data remaining

But if the cached package list still contains packages that I can
download, I can do "apt-get install" over https, and it doesn't
complain about lack of certificates or anything. The read error seems
to be specific to apt-get update.

Other times that I run this, I don't even get this error message, it
just gives me 4 Ign lines, and a "Fetched <smallnumber>B in
<smallnumber>s"

Then I thought, maybe it's not looking there but instead looking at
/etc/ssl/certs/ca-certificates.crt, so I appended my apache.pem to
that file. Still no luck.

Here is a strange thing: if I apt-get update over http:// and then
switch to https:// in my /etc/sources, apt-get upgrade works fine
(because the package list is up to date). That is, apt-get install
over https can get the packages that it needs and install them. The
lockups I am experiencing are specific to apt-get update, not upgrade.
Why would it work when it's getting the debs but not when it is
downloading the package list?

Any other suggestions of things to try?
Received on 2007-07-06