live-build: can't use third party repo due to missing ca-certificates

[Synthguy]

Hello all,

I'm trying to make a custom Debian live build.

I want to include the Proton VPN client in the image, but they use their own package repo.

When I include the required files under `config/archives/` and run `lb build`, the package manager complains that it can't trust the repo's SSL certificate as the certificate authorities root certificate is not available. I believe these are normally provided by the package `ca-certificates` and located under `/usr/share/ca-certificates`.

I've tried installing `ca-certificates` into the live-build's chroot, but of course this is done after the index files are fetched, so it doesn't stop the package manager moaning about the Proton repo. I've also tried downloading the `ca-certificates` package onto my host system and extracting the certs before copying them to `config/includes.bootstrap/usr/share/`, but no dice.

Code: Select all

W: https://repo.protonvpn.com/debian/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
W: Failed to fetch https://repo.protonvpn.com/debian/dists/stable/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 104.26.5.35 443]

Any help is much appreciated.

PS. I don't want to disable the authentication in APT

[friendlysalmon88]

This might be something you might want to mention to the support team over at protonvpn and tell them that they might want to regenerate their gpg signature and their gpg keys. It looks like their signing certificate from which ever certificate vendor issed them said certificates ca-certificates.

[fabien]

I've also tried downloading the `ca-certificates` package onto my host system and extracting the certs before copying them to `config/includes.bootstrap/usr/share/`, but no dice.

Hello,
I don't know how much this helps your case, but take a look at the header of /etc/ca-certificates.conf to see how it works.

Code: Select all

$> head -n13 /etc/ca-certificates.conf
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
!mozilla/ACEDICOM_Root.crt

Code: Select all

$> ls -l /etc/ssl/certs/ | grep "ACCVRAIZ1"
lrwxrwxrwx 1 root root     48 May  7  2024 ACCVRAIZ1.pem -> /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
lrwxrwxrwx 1 root root     13 May  7  2024 a94d09e5.0 -> ACCVRAIZ1.pem
$> ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 213777 May  7  2024 /etc/ssl/certs/ca-certificates.crt

APT uses the certificates in /etc/ssl/certs/ which are updated by update-ca-certificates based on the contents of /usr/share/ca-certificates/ (and /usr/local/share/ca-certificates/ if you want to cleanly separate custom certificates). You need to find a way to have your custom certificate in /etc/ssl/certs/.

update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt, a concatenated single-file list of certificates.

It reads the file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted.

PS. I don't want to disable the authentication in APT

wise