From: "'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>
To: Ulrich Teichert <ulrich.teichert@kumkeo.de>,
isar-users <isar-users@googlegroups.com>
Subject: Re: HTTPs connection during bootstrap
Date: Tue, 28 Apr 2026 09:40:19 +0200 [thread overview]
Message-ID: <2b9c7c31-2ff0-41c3-8e66-8f9a86199252@siemens.com> (raw)
In-Reply-To: <3a6bc2de-5694-4a72-90fd-6fcb5a62587en@googlegroups.com>
On 28.04.26 08:58, Ulrich Teichert wrote:
> Hi,
>
> after some teething problems, I've been able to build a bootable qemu
> ARM64 image
> with some of our packages for a proof of concept - thanks again to Anton.
>
> Still open is getting a successful connection to an external apt-
> repository over HTTPs,
> during bootstrapping which is secured by self signed certificates.
> Currently, I have to use
> a reverse proxy (caddy - nice and simple setup) to circumvent the issue,
> and I would like to
> get rid of it.
>
> The error I'm getting at the moment when not using the reverse proxy is:
>
> ERROR: mc:qemuarm64-trixie:isar-mmdebstrap-target-1.0-r0 do_bootstrap:
> ExecutionError('/home/isar/isar-image/build/tmp/work/debian-trixie-
> arm64/isar-mmdebstrap-target/1.0-r0/temp/run.do_bootstrap.18929', 25,
> None, None)
> ERROR: Logfile of failure stored in: /home/isar/isar-image/build/tmp/
> work/debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/temp/
> log.do_bootstrap.18929
> Log data follows:
> | DEBUG: Executing python function sstate_task_prefunc
> | DEBUG: Python function sstate_task_prefunc finished
> | DEBUG: Executing shell function do_bootstrap
> | removed '/home/isar/isar-image/build/tmp/work/debian-trixie-arm64/
> isar-mmdebstrap-target/1.0-r0/sources.list.d/bootstrap.list'
> | '/home/isar/isar-image/build/tmp/work/debian-trixie-arm64/isar-
> mmdebstrap-target/1.0-r0/apt-sources' -> '/home/isar/isar-image/build/
> tmp/work/debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/
> sources.list.d/bootstrap.list'
> | I: arm64 cannot be executed natively, but transparently using qemu-
> user binfmt emulation
> | I: finding correct signed-by value...
> | I: automatically chosen format: tar
> | I: using /home/isar/isar-image/build/tmp/work/debian-trixie-arm64/
> isar-mmdebstrap-target/1.0-r0/tempdir/mmdebstrap.3tADUZToch as tempdir
> | W: Download is performed unsandboxed as root as file /home/isar/isar-
> image/build/tmp/work/debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/
> tempdir/mmdebstrap.3tADUZToch/var/lib/apt/lists/partial couldn't be
> accessed by user _apt
> | I: running --setup-hook in shell: sh -c 'mkdir -p "$1/var/cache/apt/
> archives/"' exec /home/isar/isar-image/build/tmp/work/debian-trixie-
> arm64/isar-mmdebstrap-target/1.0-r0/tempdir/mmdebstrap.3tADUZToch
> | I: running --setup-hook in shell: sh -c 'flock -s /home/isar/isar-
> image/build/downloads/deb/debian-trixie.lock cp -n --no-preserve=owner \
> | "/home/isar/isar-image/build/tmp/work/debian-
> trixie-arm64/isar-mmdebstrap-target/1.0-r0/dl_dir/var/cache/apt/
> archives/"*.deb \
> | "$1/var/cache/apt/archives/" || true' exec /
> home/isar/isar-image/build/tmp/work/debian-trixie-arm64/isar-mmdebstrap-
> target/1.0-r0/tempdir/mmdebstrap.3tADUZToch
> | I: running special hook: upload "/home/isar/isar-image/build/tmp/work/
> debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/apt-preferences" /etc/
> apt/preferences.d/bootstrap
> | I: running special hook: upload "/home/isar/isar-image/build/tmp/work/
> debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/apt-sources-init" /
> etc/apt/sources-list
> | I: running special hook: upload "/home/isar/isar-image/build/tmp/work/
> debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/locale" /etc/locale
> | I: running --setup-hook in shell: sh -c 'mkdir -p "$1/etc/apt/
> trusted.gpg.d"' exec /home/isar/isar-image/build/tmp/work/debian-trixie-
> arm64/isar-mmdebstrap-target/1.0-r0/tempdir/mmdebstrap.3tADUZToch
> | I: running special hook: sync-in "/home/isar/isar-image/build/tmp/
> work/debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/trusted.gpg.d" /
> etc/apt/trusted.gpg.d
> | I: running --setup-hook in shell: sh -c 'install -v -m755 "/home/isar/
> isar-image/build/tmp/work/debian-trixie-arm64/isar-mmdebstrap-
> target/1.0-r0/chroot-setup.sh" "$1/chroot-setup.sh"' exec /home/isar/
> isar-image/build/tmp/work/debian-trixie-arm64/isar-mmdebstrap-
> target/1.0-r0/tempdir/mmdebstrap.3tADUZToch
> | '/home/isar/isar-image/build/tmp/work/debian-trixie-arm64/isar-
> mmdebstrap-target/1.0-r0/chroot-setup.sh' -> '/home/isar/isar-image/
> build/tmp/work/debian-trixie-arm64/isar-mmdebstrap-target/1.0-r0/
> tempdir/mmdebstrap.3tADUZToch/chroot-setup.sh'
> | I: running apt-get update...
> | Ign:1 https://XXXXXXXX.kumkeo.local/trixie/latest trixie InRelease
> | Get:2 http://deb.debian.org/debian trixie InRelease [140 kB]
> | Get:3 http://deb.debian.org/debian-security trixie-security InRelease
> [43.4 kB]
> | Get:4 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
> | Get:5 http://deb.debian.org/debian trixie/non-free Sources [75.9 kB]
> | Get:6 http://deb.debian.org/debian trixie/contrib Sources [52.3 kB]
> | Get:7 http://deb.debian.org/debian trixie/main Sources [10.5 MB]
> | Get:8 http://deb.debian.org/debian trixie/non-free-firmware Sources
> [6552 B]
> | Get:9 http://deb.debian.org/debian trixie/non-free-firmware arm64
> Packages [6484 B]
> | Get:10 http://deb.debian.org/debian trixie/contrib arm64 Packages
> [48.4 kB]
> | Get:11 http://deb.debian.org/debian trixie/non-free arm64 Packages
> [74.4 kB]
> | Get:12 http://deb.debian.org/debian trixie/main arm64 Packages [9607 kB]
> | Ign:1 https://XXXXXXXX.kumkeo.local/trixie/latest trixie InRelease
> | Get:13 http://deb.debian.org/debian-security trixie-security/non-free-
> firmware Sources [696 B]
> | Get:14 http://deb.debian.org/debian-security trixie-security/main
> Sources [132 kB]
> | Get:15 http://deb.debian.org/debian-security trixie-security/main
> arm64 Packages [127 kB]
> | Get:16 http://deb.debian.org/debian trixie-updates/main Sources [2788 B]
> | Get:17 http://deb.debian.org/debian trixie-updates/main arm64 Packages
> [5404 B]
> | Ign:1 https://XXXXXXXXX.kumkeo.local/trixie/latest trixie InRelease
> | Err:1 https://XXXXXXXXX.kumkeo.local/trixie/latest trixie InRelease
> | SSL connection failed: error:0A000086:SSL routines::certificate
> verify failed / Success [IP: A.B.C.D 443]
> | Fetched 20.9 MB in 7s (2899 kB/s)
> | Reading package lists...
> | E: Failed to fetch https://XXXXX.kumkeo.local/trixie/latest/dists/
> trixie/InRelease SSL connection failed: error:0A000086:SSL
> routines::certificate verify failed / Success [IP: A.B.C.D 443]
> | E: Some index files failed to download. They have been ignored, or old
> ones used instead.
> | E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-
> Pty=false failed: process exited with 100 and error in console output
> | W: hooklistener errored out: E: received eof on socket
> |
> | I: main() received signal PIPE: waiting for setup...
> | I: removing tempdir /home/isar/isar-image/build/tmp/work/debian-
> trixie-arm64/isar-mmdebstrap-target/1.0-r0/tempdir/mmdebstrap.3tADUZToch...
> | E: mmdebstrap failed to run
> ERROR: Task (mc:qemuarm64-trixie:/home/isar/isar-image/isar/meta/
> recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb:do_bootstrap)
> failed with exit code '1'
> NOTE: Tasks Summary: Attempted 136 tasks of which 135 didn't need to be
> rerun and 1 failed.
>
> Summary: 1 task failed:
> mc:qemuarm64-trixie:/home/isar/isar-image/isar/meta/recipes-core/isar-
> mmdebstrap/isar-mmdebstrap-target.bb:do_bootstrap
> Summary: There was 1 ERROR message, returning a non-zero exit code.
>
> (internal hostname replaced by XXXXX, IP by A.B.C.D)
>
> What would be the best way to inject the missing certificates into the
> bootstrapping
> process?
Bootstrapping is done within the environment of your host or kas-isar in
case you use the build container. So, one way is to enrich the
appropriate environment with that special certificate prior to starting
the build.
Another one is to explore the extension of do_apt_config_prepare of the
bootstrap class with setting for
https://manpages.debian.org/trixie/apt/apt-transport-https.1.en.html.
There is no convenient way of configuring this via Isar variables
because that case is too uncommon. Normally, one signs the repo itself,
and can thus disable/ignore transport security.
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/2b9c7c31-2ff0-41c3-8e66-8f9a86199252%40siemens.com.
next prev parent reply other threads:[~2026-04-28 7:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 6:58 Ulrich Teichert
2026-04-28 7:40 ` 'Jan Kiszka' via isar-users [this message]
2026-04-28 8:44 ` AW: " Ulrich Teichert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b9c7c31-2ff0-41c3-8e66-8f9a86199252@siemens.com \
--to=isar-users@googlegroups.com \
--cc=jan.kiszka@siemens.com \
--cc=ulrich.teichert@kumkeo.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox