Curl Error 60 on official HTTPS repo

m0Ray commented 6 years ago

Problem description

When building an image with update distro, I'm getting this:

[ ERROR   ]: 05:53:33 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'https://download.opensuse.org/update/leap/15.0/oss/noarch/exo-branding-openSUSE-4.12.0-lp150.5.3.1.noarch.rpm':
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

If I change repo "source" protocol from HTTPS to HTTP, error is gone and build completes normally.

When I try to download this package manually from command line, this error is not occured and package is downloaded ok.

IMHO, "ca-certificates" system package is somehow broken inside the build environment.

Expected behaviour

Normal build.

Steps to reproduce the behaviour

1) Get standard Leap 15.0 JeOS description. 2) Add

    <repository type="rpm-md" alias="Leap_15_0_update" imageinclude="true">
        <source path="https://download.opensuse.org/update/leap/15.0/oss/"/>
    </repository>

to its config.xml 3) Add <package name="patterns-xfce-xfce"/> and <package name="xorg-x11-server"/> to that config.xml 4) Try to build any image (I tried "--type iso", "--type vmx" and "--type oem" - no luck)

OS and Software information

KIWI version: 9.15.2 and maybe some newer
Operating system: OpenSuSE Tumbleweed 20180703, OpenSuSE Leap 15.0 (fresh installed from "net" image)

schaefi commented 6 years ago

SSL certificate problem: unable to get local issuer certificate

This is most likely caused by not having the server certs installed in an early phase (bootstrap) such that the operation inside of the chroot cannot find it. That's why we use the following in our image descriptions:

<packages type="bootstrap">
        <package name="udev"/>
        <package name="filesystem"/>
        <package name="glibc-locale"/>
        <package name="cracklib-dict-full"/>
        <package name="ca-certificates"/>
        <package name="openSUSE-release"/>
    </packages>

Also see:

https://github.com/SUSE/kiwi-descriptions/tree/master/suse/x86_64/suse-leap-15.0-JeOS

m0Ray commented 6 years ago

But I have <package name="ca-certificates"/> both in "bootstrap" and "image" sections. No luck. I took the config.xml file directly from that link.

schaefi commented 6 years ago

Hmm, ok that must be something different then

schaefi commented 6 years ago

I tried to reproduce this as follows:

rm -rf /var/cache/kiwi

next I changed suse/x86_64/suse-leap-15.0-JeOS/config.xml with

<repository type="rpm-md" alias="Leap_15_0_update" imageinclude="true">
    <source path="obs://openSUSE:Leap:15.0:Update/standard"/>
</repository>

...

<packages type="image">
    <package name="patterns-xfce-xfce"/>
    <package name="xorg-x11-server"/>
    ...

After that I build the image and it worked for me.

Maybe an outdated package from the cache was used ?

m0Ray commented 6 years ago

I see directly the opposite. When the package is in cache (previously downloaded via HTTP), error is not occured.

Here cache is filled from HTTP repo:

yazz:/home/m0ray/Work/TTS/KIWI # ./build_TTS.sh
[ INFO    ]: 22:52:14 | Loading XML description
[ INFO    ]: 22:52:14 | --> loaded TTS/config.xml
[ INFO    ]: 22:52:14 | --> Selected build type: iso
[ INFO    ]: 22:52:15 | Preparing new root system
[ INFO    ]: 22:52:15 | Setup root directory: /home/m0ray/Work/TTS/KIWI/TTS/iso/build/image-root
[ INFO    ]: 22:52:15 | Setting up repository obs://Virtualization:Appliances:Builder/openSUSE_Leap_15.0
[ INFO    ]: 22:52:15 | --> Type: rpm-md
[ INFO    ]: 22:52:15 | --> Priority: 1
[ INFO    ]: 22:52:15 | --> Translated: http://download.opensuse.org/repositories/Virtualization:/Appliances:/Builder/openSUSE_Leap_15.0/
[ INFO    ]: 22:52:15 | --> Alias: kiwi
[ INFO    ]: 22:52:16 | Setting up repository obs://openSUSE:Leap:15.0/standard
[ INFO    ]: 22:52:16 | --> Type: rpm-md
[ INFO    ]: 22:52:16 | --> Translated: http://download.opensuse.org/distribution/leap/15.0/repo/oss/
[ INFO    ]: 22:52:16 | --> Alias: Leap_15_0
[ INFO    ]: 22:52:17 | Setting up repository https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 22:52:17 | --> Type: rpm-md
[ INFO    ]: 22:52:17 | --> Translated: https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 22:52:17 | --> Alias: Leap_15_0_update
[ INFO    ]: 22:52:17 | Using package manager backend: zypper
[ INFO    ]: 22:52:17 | Installing bootstrap packages
[ INFO    ]: 22:52:17 | --> collection type: onlyRequired
[ INFO    ]: 22:52:17 | --> package: ca-certificates
[ INFO    ]: 22:52:17 | --> package: cracklib-dict-full
[ INFO    ]: 22:52:17 | --> package: filesystem
[ INFO    ]: 22:52:17 | --> package: glibc-locale
[ INFO    ]: 22:52:17 | --> package: openSUSE-release
[ INFO    ]: 22:52:17 | --> package: udev
[ INFO    ]: 22:52:17 | --> package: zypper
[ INFO    ]: Processing: [########################################] 100%
[ INFO    ]: 22:53:26 | Installing system (chroot) for build type: iso
[ INFO    ]: 22:53:26 | --> collection type: onlyRequired
[ INFO    ]: 22:53:26 | --> package: 
[ INFO    ]: 22:53:26 | --> package: NetworkManager
[ INFO    ]: 22:53:26 | --> package: NetworkManager-lang
[ INFO    ]: 22:53:26 | --> package: NetworkManager-openvpn
[ INFO    ]: 22:53:26 | --> package: NetworkManager-openvpn-lang
[ INFO    ]: 22:53:26 | --> package: bash-completion
[ INFO    ]: 22:53:26 | --> package: ca-certificates
[ INFO    ]: 22:53:26 | --> package: checkmedia
[ INFO    ]: 22:53:26 | --> package: dhcp-client
[ INFO    ]: 22:53:26 | --> package: dhcp-server
[ INFO    ]: 22:53:26 | --> package: dracut-kiwi-live
[ INFO    ]: 22:53:26 | --> package: fontconfig
[ INFO    ]: 22:53:26 | --> package: fonts-config
[ INFO    ]: 22:53:26 | --> package: gfxboot-branding-openSUSE
[ INFO    ]: 22:53:26 | --> package: gimp
[ INFO    ]: 22:53:26 | --> package: gimp-lang
[ INFO    ]: 22:53:26 | --> package: grub2
[ INFO    ]: 22:53:26 | --> package: grub2-branding-openSUSE
[ INFO    ]: 22:53:26 | --> package: grub2-i386-pc
[ INFO    ]: 22:53:26 | --> package: grub2-x86_64-efi
[ INFO    ]: 22:53:26 | --> package: ifplugd
[ INFO    ]: 22:53:26 | --> package: inkscape
[ INFO    ]: 22:53:26 | --> package: inkscape-lang
[ INFO    ]: 22:53:26 | --> package: iproute2
[ INFO    ]: 22:53:26 | --> package: iputils
[ INFO    ]: 22:53:26 | --> package: kernel-default
[ INFO    ]: 22:53:26 | --> package: less
[ INFO    ]: 22:53:26 | --> package: libreoffice-calc
[ INFO    ]: 22:53:26 | --> package: libreoffice-calc-extensions
[ INFO    ]: 22:53:26 | --> package: libreoffice-draw
[ INFO    ]: 22:53:26 | --> package: libreoffice-impress
[ INFO    ]: 22:53:26 | --> package: libreoffice-l10n-ru
[ INFO    ]: 22:53:26 | --> package: libreoffice-mailmerge
[ INFO    ]: 22:53:26 | --> package: libreoffice-math
[ INFO    ]: 22:53:26 | --> package: libreoffice-writer
[ INFO    ]: 22:53:26 | --> package: libreoffice-writer-extensions
[ INFO    ]: 22:53:26 | --> package: libxfce4ui-lang
[ INFO    ]: 22:53:26 | --> package: libxfce4util-lang
[ INFO    ]: 22:53:26 | --> package: lightdm
[ INFO    ]: 22:53:26 | --> package: lvm2
[ INFO    ]: 22:53:26 | --> package: mc
[ INFO    ]: 22:53:26 | --> package: mosquitto
[ INFO    ]: 22:53:26 | --> package: openssh
[ INFO    ]: 22:53:26 | --> package: parted
[ INFO    ]: 22:53:26 | --> package: patterns-openSUSE-base
[ INFO    ]: 22:53:26 | --> package: patterns-xfce-xfce
[ INFO    ]: 22:53:26 | --> package: patterns-xfce-xfce_laptop
[ INFO    ]: 22:53:26 | --> package: plymouth
[ INFO    ]: 22:53:26 | --> package: plymouth-branding-openSUSE
[ INFO    ]: 22:53:26 | --> package: plymouth-dracut
[ INFO    ]: 22:53:26 | --> package: python3
[ INFO    ]: 22:53:26 | --> package: python3-Jinja2
[ INFO    ]: 22:53:26 | --> package: python3-gobject-Gdk
[ INFO    ]: 22:53:26 | --> package: python3-gobject-cairo
[ INFO    ]: 22:53:26 | --> package: python3-numpy
[ INFO    ]: 22:53:26 | --> package: python3-opencv
[ INFO    ]: 22:53:26 | --> package: python3-paho-mqtt
[ INFO    ]: 22:53:26 | --> package: python3-pip
[ INFO    ]: 22:53:26 | --> package: rsync
[ INFO    ]: 22:53:26 | --> package: setxkbmap
[ INFO    ]: 22:53:26 | --> package: shim
[ INFO    ]: 22:53:26 | --> package: sudo
[ INFO    ]: 22:53:26 | --> package: syslinux
[ INFO    ]: 22:53:26 | --> package: tar
[ INFO    ]: 22:53:26 | --> package: timezone
[ INFO    ]: 22:53:26 | --> package: vim
[ INFO    ]: 22:53:26 | --> package: virtualbox-guest-kmp-default
[ INFO    ]: 22:53:26 | --> package: virtualbox-guest-tools
[ INFO    ]: 22:53:26 | --> package: virtualbox-guest-x11
[ INFO    ]: 22:53:26 | --> package: which
[ INFO    ]: 22:53:26 | --> package: xfce4-appfinder-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-dict-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-mixer-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-notifyd-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-battery-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-clipman-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-cpufreq-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-cpugraph-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-datetime-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-diskperf-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-eyes-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-fsguard-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-genmon-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-mailwatch-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-mount-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-mpc-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-netload-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-notes-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-places-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-pulseaudio-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-sensors-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-smartbookmark-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-systemload-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-timeout-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-timer-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-verve-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-wavelan-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-weather-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-whiskermenu-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-panel-plugin-xkb-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-power-manager-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-screenshooter-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-session-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-settings-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-taskmanager-lang
[ INFO    ]: 22:53:26 | --> package: xfce4-terminal-lang
[ INFO    ]: 22:53:26 | --> package: xorg-x11-server
[ INFO    ]: 22:53:26 | --> package: yast2
[ INFO    ]: 22:53:26 | --> package: yast2-dhcp-server
[ INFO    ]: Processing: [####################################    ] 91%
[ INFO    ]: Processing: [########################################] 100%
[ INFO    ]: 23:02:47 | Creating .profile environment
[ INFO    ]: 23:02:47 | Importing Image description to system tree
[ INFO    ]: 23:02:47 | --> Importing state XML description as image/config.xml
[ INFO    ]: 23:02:47 | --> Importing config.sh script as image/config.sh
[ INFO    ]: 23:02:47 | --> Importing script helper functions
[ INFO    ]: 23:02:47 | Copying user defined files to image tree
[ INFO    ]: 23:02:49 | Setting up user root
[ INFO    ]: 23:02:49 | --> Modifying user: root [root]
[ INFO    ]: 23:02:50 | Setting up user tts
[ INFO    ]: 23:02:50 | --> Adding user: tts [users]
[ INFO    ]: 23:02:50 | --> Setting permissions for /home/tts
[ INFO    ]: 23:02:50 | Setting up keytable: ru_winkeys
[ INFO    ]: 23:02:50 | Setting up locale: ru_RU
[ INFO    ]: 23:02:51 | Setting up timezone: Europe/Samara
[ INFO    ]: 23:02:51 | Setting up image repository obs://openSUSE:Leap:15.0/standard
[ INFO    ]: 23:02:51 | --> Type: rpm-md
[ INFO    ]: 23:02:51 | --> Translated: http://download.opensuse.org/distribution/leap/15.0/repo/oss/
[ INFO    ]: 23:02:51 | --> Alias: Leap_15_0
[ INFO    ]: 23:02:52 | Setting up image repository https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 23:02:52 | --> Type: rpm-md
[ INFO    ]: 23:02:52 | --> Translated: https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 23:02:52 | --> Alias: Leap_15_0_update
[ INFO    ]: 23:02:52 | Calling config.sh script
[ INFO    ]: 23:02:53 | Cleaning up SystemPrepare instance
[ WARNING ]: 23:02:53 | Path /home/m0ray/Work/TTS/KIWI/TTS/iso/build/image-root/sys not a mountpoint
[ WARNING ]: 23:02:54 | Path /home/m0ray/Work/TTS/KIWI/TTS/iso/build/image-root/proc not a mountpoint
[ WARNING ]: 23:02:54 | Failed to remove directory /var/cache/kiwi: rmdir: stderr: rmdir: не удалось удалить '/home'
, stdout: (no output on stdout)
[ INFO    ]: 23:02:54 | Creating system image
[ INFO    ]: 23:02:54 | Using following live ISO metadata:
[ INFO    ]: 23:02:54 | --> Application id: 0x4f11ddea
[ INFO    ]: 23:02:54 | --> Publisher: SUSE LINUX GmbH
[ INFO    ]: 23:02:54 | --> Volume id: CDROM
[ INFO    ]: 23:02:54 | Packing system into dracut live ISO type: overlay
[ INFO    ]: 23:03:28 | Using calculated size: 3525 MB
[ INFO    ]: 23:03:28 | --> Syncing data to ext4 root image
[ INFO    ]: 23:07:40 | --> Creating squashfs container for root image
[ INFO    ]: 23:15:06 | Setting up isolinux bootloader configuration
[ WARNING ]: 23:15:06 | root=UUID=<uuid> setup requested, but uuid is not provided
[ INFO    ]: 23:15:08 | Creating isolinux live ISO config file from template
[ INFO    ]: 23:15:08 | --> Using standard ISO template
[ INFO    ]: 23:15:08 | Writing isolinux.cfg file
[ INFO    ]: 23:15:08 | Setting up EFI grub bootloader configuration
[ INFO    ]: 23:15:08 | Creating grub2 bootloader images
[ INFO    ]: 23:15:08 | --> Creating identifier file 0x4f11ddea
[ INFO    ]: 23:15:10 | --> Creating unsigned efi image
[ INFO    ]: 23:15:11 | Creating grub2 live ISO config file from template
[ WARNING ]: 23:15:11 | root=UUID=<uuid> setup requested, but uuid is not provided
[ INFO    ]: 23:15:11 | --> Using standard boot template
[ INFO    ]: 23:15:11 | Writing grub.cfg file
[ INFO    ]: 23:15:11 | Writing /home/m0ray/Work/TTS/KIWI/TTS/iso/live-media.qk778so1/EFI/BOOT/grub.cfg file to be found by EFI firmware
[ INFO    ]: 23:15:11 | Writing grub2 defaults file
[ INFO    ]: 23:15:11 | Writing sysconfig bootloader file
[ INFO    ]: 23:15:11 | Creating live ISO boot image
[ INFO    ]: 23:15:11 | Creating generic dracut initrd archive
[ INFO    ]: 23:16:44 | Setting up kernel file(s) and boot image in ISO boot layout
[ INFO    ]: 23:16:44 | Creating live ISO image
[ INFO    ]: 23:17:07 | Export rpm packages metadata
[ INFO    ]: 23:17:11 | Export rpm verification metadata
[ INFO    ]: 23:20:24 | Cleaning up FileSystemExt4 instance
[ INFO    ]: 23:20:24 | Cleaning up LoopDevice instance
[ INFO    ]: 23:20:24 | Result files:
[ INFO    ]: 23:20:24 | --> image_packages: /home/m0ray/Work/TTS/KIWI/TTS/iso/TTS-Leap-15.0.x86_64-1.15.0.packages
[ INFO    ]: 23:20:24 | --> image_verified: /home/m0ray/Work/TTS/KIWI/TTS/iso/TTS-Leap-15.0.x86_64-1.15.0.verified
[ INFO    ]: 23:20:24 | --> live_image: /home/m0ray/Work/TTS/KIWI/TTS/iso/TTS-Leap-15.0.x86_64-1.15.0.iso
[ INFO    ]: 23:20:24 | Cleaning up LiveImageBuilder instance
[ INFO    ]: 23:20:25 | Cleaning up BootImageDracut instance

And then, clearing the cache and repeating the procedure:

yazz:/home/m0ray/Work/TTS/KIWI # rm -rf /var/cache/kiwi
yazz:/home/m0ray/Work/TTS/KIWI # ./build_TTS.sh        
[ INFO    ]: 23:20:59 | Loading XML description
[ INFO    ]: 23:20:59 | --> loaded TTS/config.xml
[ INFO    ]: 23:20:59 | --> Selected build type: iso
[ INFO    ]: 23:20:59 | Preparing new root system
[ INFO    ]: 23:20:59 | Setup root directory: /home/m0ray/Work/TTS/KIWI/TTS/iso/build/image-root
[ INFO    ]: 23:20:59 | Setting up repository obs://Virtualization:Appliances:Builder/openSUSE_Leap_15.0
[ INFO    ]: 23:20:59 | --> Type: rpm-md
[ INFO    ]: 23:20:59 | --> Priority: 1
[ INFO    ]: 23:20:59 | --> Translated: http://download.opensuse.org/repositories/Virtualization:/Appliances:/Builder/openSUSE_Leap_15.0/
[ INFO    ]: 23:20:59 | --> Alias: kiwi
[ INFO    ]: 23:21:06 | Setting up repository obs://openSUSE:Leap:15.0/standard
[ INFO    ]: 23:21:06 | --> Type: rpm-md
[ INFO    ]: 23:21:06 | --> Translated: http://download.opensuse.org/distribution/leap/15.0/repo/oss/
[ INFO    ]: 23:21:06 | --> Alias: Leap_15_0
[ INFO    ]: 23:21:06 | Setting up repository https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 23:21:06 | --> Type: rpm-md
[ INFO    ]: 23:21:06 | --> Translated: https://download.opensuse.org/update/leap/15.0/oss/
[ INFO    ]: 23:21:06 | --> Alias: Leap_15_0_update
[ INFO    ]: 23:21:06 | Using package manager backend: zypper
[ INFO    ]: 23:21:06 | Installing bootstrap packages
[ INFO    ]: 23:21:06 | --> collection type: onlyRequired
[ INFO    ]: 23:21:06 | --> package: ca-certificates
[ INFO    ]: 23:21:06 | --> package: cracklib-dict-full
[ INFO    ]: 23:21:06 | --> package: filesystem
[ INFO    ]: 23:21:06 | --> package: glibc-locale
[ INFO    ]: 23:21:06 | --> package: openSUSE-release
[ INFO    ]: 23:21:06 | --> package: udev
[ INFO    ]: 23:21:06 | --> package: zypper
[ INFO    ]: Processing: [########################################] 100%
[ INFO    ]: 23:24:32 | Installing system (chroot) for build type: iso
[ INFO    ]: 23:24:32 | --> collection type: onlyRequired
[ INFO    ]: 23:24:32 | --> package: 
[ INFO    ]: 23:24:32 | --> package: NetworkManager
[ INFO    ]: 23:24:32 | --> package: NetworkManager-lang
[ INFO    ]: 23:24:32 | --> package: NetworkManager-openvpn
[ INFO    ]: 23:24:32 | --> package: NetworkManager-openvpn-lang
[ INFO    ]: 23:24:32 | --> package: bash-completion
[ INFO    ]: 23:24:32 | --> package: ca-certificates
[ INFO    ]: 23:24:32 | --> package: checkmedia
[ INFO    ]: 23:24:32 | --> package: dhcp-client
[ INFO    ]: 23:24:32 | --> package: dhcp-server
[ INFO    ]: 23:24:32 | --> package: dracut-kiwi-live
[ INFO    ]: 23:24:32 | --> package: fontconfig
[ INFO    ]: 23:24:32 | --> package: fonts-config
[ INFO    ]: 23:24:32 | --> package: gfxboot-branding-openSUSE
[ INFO    ]: 23:24:32 | --> package: gimp
[ INFO    ]: 23:24:32 | --> package: gimp-lang
[ INFO    ]: 23:24:32 | --> package: grub2
[ INFO    ]: 23:24:32 | --> package: grub2-branding-openSUSE
[ INFO    ]: 23:24:32 | --> package: grub2-i386-pc
[ INFO    ]: 23:24:32 | --> package: grub2-x86_64-efi
[ INFO    ]: 23:24:32 | --> package: ifplugd
[ INFO    ]: 23:24:32 | --> package: inkscape
[ INFO    ]: 23:24:32 | --> package: inkscape-lang
[ INFO    ]: 23:24:32 | --> package: iproute2
[ INFO    ]: 23:24:32 | --> package: iputils
[ INFO    ]: 23:24:32 | --> package: kernel-default
[ INFO    ]: 23:24:32 | --> package: less
[ INFO    ]: 23:24:32 | --> package: libreoffice-calc
[ INFO    ]: 23:24:32 | --> package: libreoffice-calc-extensions
[ INFO    ]: 23:24:32 | --> package: libreoffice-draw
[ INFO    ]: 23:24:32 | --> package: libreoffice-impress
[ INFO    ]: 23:24:32 | --> package: libreoffice-l10n-ru
[ INFO    ]: 23:24:32 | --> package: libreoffice-mailmerge
[ INFO    ]: 23:24:32 | --> package: libreoffice-math
[ INFO    ]: 23:24:32 | --> package: libreoffice-writer
[ INFO    ]: 23:24:32 | --> package: libreoffice-writer-extensions
[ INFO    ]: 23:24:32 | --> package: libxfce4ui-lang
[ INFO    ]: 23:24:32 | --> package: libxfce4util-lang
[ INFO    ]: 23:24:32 | --> package: lightdm
[ INFO    ]: 23:24:32 | --> package: lvm2
[ INFO    ]: 23:24:32 | --> package: mc
[ INFO    ]: 23:24:32 | --> package: mosquitto
[ INFO    ]: 23:24:32 | --> package: openssh
[ INFO    ]: 23:24:32 | --> package: parted
[ INFO    ]: 23:24:32 | --> package: patterns-openSUSE-base
[ INFO    ]: 23:24:32 | --> package: patterns-xfce-xfce
[ INFO    ]: 23:24:32 | --> package: patterns-xfce-xfce_laptop
[ INFO    ]: 23:24:32 | --> package: plymouth
[ INFO    ]: 23:24:32 | --> package: plymouth-branding-openSUSE
[ INFO    ]: 23:24:32 | --> package: plymouth-dracut
[ INFO    ]: 23:24:32 | --> package: python3
[ INFO    ]: 23:24:32 | --> package: python3-Jinja2
[ INFO    ]: 23:24:32 | --> package: python3-gobject-Gdk
[ INFO    ]: 23:24:32 | --> package: python3-gobject-cairo
[ INFO    ]: 23:24:32 | --> package: python3-numpy
[ INFO    ]: 23:24:32 | --> package: python3-opencv
[ INFO    ]: 23:24:32 | --> package: python3-paho-mqtt
[ INFO    ]: 23:24:32 | --> package: python3-pip
[ INFO    ]: 23:24:32 | --> package: rsync
[ INFO    ]: 23:24:32 | --> package: setxkbmap
[ INFO    ]: 23:24:32 | --> package: shim
[ INFO    ]: 23:24:32 | --> package: sudo
[ INFO    ]: 23:24:32 | --> package: syslinux
[ INFO    ]: 23:24:32 | --> package: tar
[ INFO    ]: 23:24:32 | --> package: timezone
[ INFO    ]: 23:24:32 | --> package: vim
[ INFO    ]: 23:24:32 | --> package: virtualbox-guest-kmp-default
[ INFO    ]: 23:24:32 | --> package: virtualbox-guest-tools
[ INFO    ]: 23:24:32 | --> package: virtualbox-guest-x11
[ INFO    ]: 23:24:32 | --> package: which
[ INFO    ]: 23:24:32 | --> package: xfce4-appfinder-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-dict-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-mixer-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-notifyd-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-battery-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-clipman-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-cpufreq-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-cpugraph-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-datetime-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-diskperf-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-eyes-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-fsguard-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-genmon-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-mailwatch-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-mount-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-mpc-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-netload-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-notes-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-places-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-pulseaudio-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-sensors-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-smartbookmark-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-systemload-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-timeout-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-timer-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-verve-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-wavelan-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-weather-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-whiskermenu-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-panel-plugin-xkb-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-power-manager-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-screenshooter-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-session-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-settings-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-taskmanager-lang
[ INFO    ]: 23:24:32 | --> package: xfce4-terminal-lang
[ INFO    ]: 23:24:32 | --> package: xorg-x11-server
[ INFO    ]: 23:24:32 | --> package: yast2
[ INFO    ]: 23:24:32 | --> package: yast2-dhcp-server
[ INFO    ]: Processing: [########################################] 100%
[ ERROR   ]: 23:31:54 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'https://download.opensuse.org/update/leap/15.0/oss/noarch/exo-branding-openSUSE-4.12.0-lp150.5.3.1.noarch.rpm':
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

Problem occurred during or after installation or removal of packages:
Installation aborted by user
Please see the above error message for a hint.

[ INFO    ]: 23:31:54 | Cleaning up SystemPrepare instance
[ WARNING ]: 23:31:54 | Failed to remove directory /var/cache/kiwi: rmdir: stderr: rmdir: не удалось удалить '/home'
, stdout: (no output on stdout)
yazz:/home/m0ray/Work/TTS/KIWI # uname -a
Linux yazz.m0ray.net 4.17.3-1-default #1 SMP PREEMPT Tue Jun 26 06:45:20 UTC 2018 (e8dc1b5) x86_64 x86_64 x86_64 GNU/Linux
yazz:/home/m0ray/Work/TTS/KIWI # cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20180703"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20180703"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20180703"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
yazz:/home/m0ray/Work/TTS/KIWI # kiwi --version
KIWI (next generation) version 9.15.2

"build_TTS.sh":

#!/bin/sh

rm -rf TTS/iso/build
kiwi \
   --type iso \
   system build \
   --description TTS \
   --target-dir TTS/iso

"config.xml":

<?xml version="1.0" encoding="utf-8"?>

<image schemaversion="6.8" name="TTS-Leap-15.0">
    <description type="system">
        <author>Dmitry Kirilin</author>
        <contact>m0ray@tactic.online</contact>
        <specification>
            TTS Operator Software, based on OpenSuSE Leap 15.0
        </specification>
    </description>
    <preferences>
        <type image="iso" primary="true" flags="overlay" hybrid="true" firmware="efi" kernelcmdline="splash" hybridpersistent_filesystem="ext4" hybridpersistent="true" mediacheck="true"/>
        <version>1.15.0</version>
        <packagemanager>zypper</packagemanager>
        <locale>ru_RU</locale>
        <keytable>ru_winkeys</keytable>
        <timezone>Europe/Samara</timezone>
        <rpm-excludedocs>true</rpm-excludedocs>
        <rpm-check-signatures>false</rpm-check-signatures>
        <bootsplash-theme>openSUSE</bootsplash-theme>
        <bootloader-theme>openSUSE</bootloader-theme>
    </preferences>
    <preferences>
        <type image="vmx" filesystem="ext4" bootloader="grub2" kernelcmdline="splash" firmware="efi"/>
        <type image="oem" filesystem="ext4" initrd_system="dracut" installiso="true" bootloader="grub2" kernelcmdline="splash" firmware="efi">
            <oemconfig>
                <oem-systemsize>2048</oem-systemsize>
                <oem-swap>true</oem-swap>
                <oem-device-filter>/dev/ram</oem-device-filter>
                <oem-multipath-scan>false</oem-multipath-scan>
            </oemconfig>
            <machine memory="512" guestOS="suse" HWversion="4">
                <vmdisk id="0" controller="ide"/>
                <vmnic driver="e1000" interface="0" mode="bridged"/>
            </machine>
        </type>
    </preferences>
    <users>
        <user password="$1$eMSNGr.o$2os4QAJNgbARh.hyRJ7UW1" home="/root" name="root" groups="root"/>
        <user password="$1$KHiqY4Jm$MwzMJdrKO3N6hrIDqoDqr/" home="/home/tts" name="tts" realname="TTS" groups="users"/>
    </users>
    <repository type="rpm-md" alias="kiwi" priority="1">
        <source path="obs://Virtualization:Appliances:Builder/openSUSE_Leap_15.0"/>
    </repository>
    <repository type="rpm-md" alias="Leap_15_0" imageinclude="true">
        <source path="obs://openSUSE:Leap:15.0/standard"/>
    </repository>
    <repository type="rpm-md" alias="Leap_15_0_update" imageinclude="true">
        <source path="https://download.opensuse.org/update/leap/15.0/oss/"/>
    </repository>
    <packages type="image">
        <package name="ca-certificates"/>
        <package name="checkmedia"/>
        <package name="patterns-openSUSE-base"/>

        <package name="xorg-x11-server"/>
        <package name="setxkbmap"/>

        <!-- For Oracle VirtualBox testing -->
        <package name="virtualbox-guest-kmp-default"/>
        <package name="virtualbox-guest-x11"/>
        <package name="virtualbox-guest-tools"/>

        <package name="lightdm"/>
        <package name="patterns-xfce-xfce"/>
        <package name="patterns-xfce-xfce_laptop"/>

        <package name="plymouth-branding-openSUSE"/>
        <package name="plymouth-dracut"/>
        <package name="grub2-branding-openSUSE"/>
        <package name="ifplugd"/>
        <package name="iputils"/>
        <package name="vim"/>
        <package name="grub2"/>
        <package name="grub2-x86_64-efi" arch="x86_64"/>
        <package name="grub2-i386-pc"/>
        <package name="syslinux"/>
        <package name="lvm2"/>
        <package name="plymouth"/>
        <package name="fontconfig"/>
        <package name="fonts-config"/>
        <package name="tar"/>
        <package name="parted"/>
        <package name="openssh"/>
        <package name="iproute2"/>
        <package name="less"/>
        <package name="bash-completion"/>
        <package name="dhcp-client"/>
        <package name="which"/>
        <package name="shim"/>
        <package name="kernel-default"/>
        <package name="timezone"/>
        <package name="sudo"/>

        <package name="NetworkManager"/>
        <package name="NetworkManager-openvpn"/>

        <package name="yast2"/>
        <package name="yast2-dhcp-server"/>
        <package name="dhcp-server"/>

        <!-- User stuff -->
        <package name="mc"/>
        <package name="gimp"/>
        <package name="inkscape"/>

        <!-- LibreOffice -->
        <package name="libreoffice-writer"/>
        <package name="libreoffice-writer-extensions"/>
        <package name="libreoffice-calc"/>
        <package name="libreoffice-calc-extensions"/>
        <package name="libreoffice-mailmerge"/>
        <package name="libreoffice-math"/>
        <package name="libreoffice-impress"/>
        <package name="libreoffice-draw"/>
        <package name=""/>
        <package name=""/>

        <!-- Russian and other languages -->

        <package name="libxfce4ui-lang"/>
        <package name="libxfce4util-lang"/>
        <package name="xfce4-appfinder-lang"/>
        <package name="xfce4-dict-lang"/>
        <package name="xfce4-mixer-lang"/>
        <package name="xfce4-notifyd-lang"/>
        <package name="xfce4-panel-lang"/>
        <package name="xfce4-panel-plugin-battery-lang"/>
        <package name="xfce4-panel-plugin-clipman-lang"/>
        <package name="xfce4-panel-plugin-cpufreq-lang"/>
        <package name="xfce4-panel-plugin-cpugraph-lang"/>
        <package name="xfce4-panel-plugin-datetime-lang"/>
        <package name="xfce4-panel-plugin-diskperf-lang"/>
        <package name="xfce4-panel-plugin-eyes-lang"/>
        <package name="xfce4-panel-plugin-fsguard-lang"/>
        <package name="xfce4-panel-plugin-genmon-lang"/>
        <package name="xfce4-panel-plugin-mailwatch-lang"/>
        <package name="xfce4-panel-plugin-mount-lang"/>
        <package name="xfce4-panel-plugin-mpc-lang"/>
        <package name="xfce4-panel-plugin-netload-lang"/>
        <package name="xfce4-panel-plugin-notes-lang"/>
        <package name="xfce4-panel-plugin-places-lang"/>
        <package name="xfce4-panel-plugin-pulseaudio-lang"/>
        <package name="xfce4-panel-plugin-sensors-lang"/>
        <package name="xfce4-panel-plugin-smartbookmark-lang"/>
        <package name="xfce4-panel-plugin-systemload-lang"/>
        <package name="xfce4-panel-plugin-timeout-lang"/>
        <package name="xfce4-panel-plugin-timer-lang"/>
        <package name="xfce4-panel-plugin-verve-lang"/>
        <package name="xfce4-panel-plugin-wavelan-lang"/>
        <package name="xfce4-panel-plugin-weather-lang"/>
        <package name="xfce4-panel-plugin-whiskermenu-lang"/>
        <package name="xfce4-panel-plugin-xkb-lang"/>           
        <package name="xfce4-power-manager-lang"/>        
        <package name="xfce4-screenshooter-lang"/>
        <package name="xfce4-session-lang"/>
        <package name="xfce4-settings-lang"/>
        <package name="xfce4-taskmanager-lang"/>
        <package name="xfce4-terminal-lang"/>

        <package name="NetworkManager-lang"/>
        <package name="NetworkManager-openvpn-lang"/>

        <package name="gimp-lang"/>
        <package name="inkscape-lang"/>

        <package name="libreoffice-l10n-ru"/>

        <!-- TTS OpSys specific -->
        <package name="python3"/>
        <package name="python3-opencv"/>
        <package name="python3-paho-mqtt"/>
        <package name="python3-Jinja2"/>
        <package name="python3-opencv"/>
        <package name="python3-numpy"/>
        <package name="python3-gobject-Gdk"/>
        <package name="python3-gobject-cairo"/>
        <package name="python3-pip"/>
        <package name="mosquitto"/>
        <package name="rsync"/>

    </packages>
    <packages type="iso">
        <package name="gfxboot-branding-openSUSE"/>
        <package name="dracut-kiwi-live"/>
    </packages>
    <packages type="oem">
        <package name="gfxboot-branding-openSUSE"/>
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
    <packages type="bootstrap">
        <package name="udev"/>
        <package name="filesystem"/>
        <package name="glibc-locale"/>
        <package name="cracklib-dict-full"/>
        <package name="ca-certificates"/>
        <package name="openSUSE-release"/>
    </packages>
</image>

The same thing on fresh installed Leap 15.0.

m0Ray commented 6 years ago

Just realized that you are using "obs://" URL scheme, that is finally translated into HTTP. But I use explicit "https://". I am building images at my laptop, not OBS server, and want to download packages in secure way. Ahem... Was KIWI ever tested on real HTTPS?

schaefi commented 6 years ago

ok I was able to reproduce it. ca-certificates is not enough here. Add the following in the bootstrap section of your XML description

<package name="ca-certificates-cacert"/>
<package name="ca-certificates-mozilla"/>

That makes sure all required rootCA certs exists also for the curl use case

Feel free to re-open if it does not work for you

schaefi commented 6 years ago

As a side note we mostly use the obs:// schema to allow building of the image in and outside of the obs service without being required to change the repository setup. You are right that always resolves into http urls. The concern for a secure connection is imho valid if proprietary software packages are loaded, which is not the case for the examples we provide. What weights more here is imho the trust for the source repo which is checked by the package signature on the package manager level.

I fully agree https repos has to work and I admit we don't explicitly test them for each new distro. In former versions ca-certificates was enough but as the distribution changes and we have no control what packages do at install time there will probably always be a gap in the testing matrix

Thanks for your feedback

m0Ray commented 6 years ago

Ok, thanks. All works fine now.

But how can package signature help if DNS is spoofed? I prefer to have transport level encryption and signature.

schaefi commented 6 years ago

Ok, thanks. All works fine now.

sounds good :)

But how can package signature help if DNS is spoofed?

It doesn't if the spoofed location offers gpg signed packages from a trusted party which could be verified as such, they will just be taken. I completely agree without the ssl cert verification you can't be sure if the source location (the repo) deserves your trust.

OSInside / kiwi