Bug#1112125: marked as done (apt-transport-https: Regression in CAInfo handling in Trixie)

[Debian Bug Tracking System]

Your message dated Fri, 29 Aug 2025 18:11:15 +0200
with message-id <d55cc6c7-abc2-470e-a1a6-9de637d24...@googlemail.com>
and subject line Re: Bug#1112125: apt-transport-https: Regression in CAInfo 
handling in Trixie
has caused the Debian Bug report #1112125,
regarding apt-transport-https: Regression in CAInfo handling in Trixie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1112125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apt-transport-https
Version: 3.1.4
Severity: normal
X-Debbugs-Cc: gja...@googlemail.com

Hello,

there seems to be a regression in Trixie (probably since the switch
to OpenSSL) in the CAInfo handling.

I created a reproducer here:
https://salsa.debian.org/gjasny-guest/debian-apt-cafile

Copy for the archive:
---
FROM debian:13
ENV DEBIAN_FRONTEND=noninteractive
RUN sed -i'' -e 's,http://deb.debian.org,https://debian.inf.tu-dresden.de,g' 
/etc/apt/sources.list.d/debian.sources
ADD rootca.pem /etc/rootca.pem
RUN echo 'Acquire::https::debian.inf.tu-dresden.de::CAInfo "/etc/rootca.pem";' 
> /etc/apt/apt.conf.d/99-root-ca
RUN apt-get update
RUN apt-get install -y ca-certificates
---

It works with Debian 12 and fails with Debian 13. (I need that functionality
for a company internal APT repository, not debian.inf.tu-dresden.de.)

Could please take a look what's happening?

Thanks,
Gregor

-- System Information:
Debian Release: 13.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: arm64 (aarch64)

Kernel: Linux 6.12.27-arm64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt-transport-https depends on:
ii  apt  3.1.4

apt-transport-https recommends no packages.

apt-transport-https suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Hello,

thanks for the link to SSL_CTX_load_verify_file. That made me try plain "openssl s_client". That way I figured out that the certificate I used was not the root certificate but the first one that "openssl s_client -showcerts" shows. With the proper root one it works in all apt versions.

Thanks,
Gregor

--- End Message ---