On 01/07/17 16:13, Bob Beck wrote: > > On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote: >> On 01/06/17 06:28, Stuart Henderson wrote: >>> Related to this (and particularly thinking about autoinstalls), >>> would it make sense to allow explicit protocols in the hostname? >>> >>> some.host -> https with http fallback >>> http://some.host/ -> http only >>> https://some.host/ -> https only, no fallback >> >> That would totally work for my install problem. >> >> FWIW, instead of running a patched install.sub, "rm /etc/ssl/cert.pem" makes >> the install bypass the https attempt. >> > > Note, if you're upgrading or otherwise have a way to et a cert.pem bundle > onto there to *replace* > the default, you could always drop the signer for your private self-signed > server into the cert.pem > bundle, at which point it would be accepted as trusted.
In an ideal world, I'd have a valid certificate for this local nas server... > of course if you're just installing you have an interesting chicken and egg > problem, unless > you put it somewhere on an https site that does have a real certificate, drop > out of the > installer and do > > ftp -o /tmp/mysigner.pem https://my.secure.site/mysigner.pem > cat /tmp/mysigner.pem >> /etc/ssl/cert.pem > > then continue the install, and you're good. Thanks. Unfortunately, I've been spoiled by the continually improving snapshot install methods and want to preserve typing "a" once for a new -current. > Almost wonder if it's worth an extra question in the installer to ask > for an https address to retrieve a certficiate bundle to be appended to > cert.pem > for the install... That would also solve the self signed cert problem. Since the install /etc/ssl/cert.pem is transient, your method wouldn't trigger any /etc/daily alarm about a chang in cert.pem. I hacked a bit on sthen's suggestion but ran into problems testing the https part w/ the OpenBSD servers. I'm currently unable to do a snapshot autoinstall from ftp[35] via the latest bsd.rd. FWIW, here's my weak attempt at sthen's suggestion: Index: install.sub =================================================================== RCS file: /cvs/src/distrib/miniroot/install.sub,v retrieving revision 1.942 diff -u -p -u -p -r1.942 install.sub --- install.sub 4 Jan 2017 13:47:29 -0000 1.942 +++ install.sub 7 Jan 2017 22:02:52 -0000 @@ -1502,9 +1502,11 @@ install_files() { # Get several parameters from the user, and xfer files from the http server. install_http() { + local _proto=$1 local _file_list _prompt _mirror _url_base _err _idx=/tmp/i/index.txt local _idx_url _rc + HTTP_PROTO=$_proto # N.B.: 'http_proxy' is an environment variable used by ftp(1). DON'T # change the name or case! ask "HTTP proxy URL? (e.g. 'http://proxy:8080', or 'none')" \ @@ -1568,8 +1570,9 @@ install_http() { # Get list of files from the server. # Assumes index file is "index.txt" for http (or proxy). # We can't use index.html since the format is server-dependent. - # If ftp(1) has tls, fetch index.txt via https. If that fails - # tell the user about it and switch to http. + # If ftp(1) has tls and doesn't explicitly request http, + # fetch index.txt via https. If https fails tell the user about + # it and switch to http. rm -f $_idx if $FTP_TLS; then _idx_url=$_url_base/index.txt @@ -2310,7 +2313,7 @@ feed_random() { # selects from that location. Repeat as many times as the user needs to get all # desired sets. install_sets() { - local _cddevs=$(get_cddevs) _d=$CGI_METHOD _im _locs="disk http" _src + local _cddevs=$(get_cddevs) _d=$CGI_METHOD _im _locs="disk http https" _src echo @@ -2343,7 +2346,9 @@ install_sets() { ;; [dD]*) install_disk && INSTALL_METHOD=disk ;; - [hH]*) isin http $_locs && install_http && INSTALL_METHOD=http + [hH]*s) isin https $_locs && install_http https && INSTALL_METHOD=https + ;; + [hH]*) isin http $_locs && install_http http && INSTALL_METHOD=http ;; [nN]*) isin nfs $_locs && install_nfs && INSTALL_METHOD=nfs ;;