[SOLVED] Root certificate for installing Arch

shmu26 · 2022-01-13 05:36:47

My internet connection requires the installation of a root certificate in order to work.
On an already existing Arch installation I would run the following commands

wget http://netfree.link/netfree-ca.crt
sudo trust anchor --store netfree-ca.crt

The question is how to use the Arch installer, which, as we know, needs to download packages. Is there a way I can insert my cert?

Last edited by shmu26 (2022-01-13 11:39:40)

Morta · 2022-01-13 05:40:38

As root or using the manual installer

curl -O http://netfree.link/netfree-ca.crt 
trust anchor --store netfree-ca.crt

Last edited by Morta (2022-01-13 05:40:55)

shmu26 · 2022-01-13 05:42:59

Morta wrote:

As root or using the manual installer
curl -O http://netfree.link/netfree-ca.crt 
trust anchor --store netfree-ca.crt

So those commands will work in the Arch installer itself?

Lone_Wolf · 2022-01-13 09:30:43

No, but you can execute them before you start the installer with archinstall

shmu26 · 2022-01-13 09:42:40

Thanks to both of you. Now I got the idea.

Will I be able to install curl before I get the internet connection working?

I tested out the suggested command on Ubuntu to see what happens, and it doesn't actually download the file

curl -O http://netfree.link/netfree-ca.crt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

But when I run the original command, the one with wget, it downloads the file

Last edited by shmu26 (2022-01-13 09:54:00)

Lone_Wolf · 2022-01-13 10:59:03

It does download something, but not the certificate you want.

$ cat netfree-ca.crt
Found. Redirecting to //api.internal.netfree.link/ca/netfree-ca.crt
$

Will I be able to install curl before I get the internet connection working?

unlikely, and even if you do add curl (or wget) manually from a memory stick your network will block downloading the certificate.

Just download the file on any working system and put it on a memory stick that you mount while booted in the install environment.

shmu26 · 2022-01-13 11:05:58

Lone_Wolf wrote:

Just download the file on any working system and put it on a memory stick that you mount while booted in the install environment.

Okay, so will the command "trust anchor" work?
Without that command, I think I would have to copy and paste the certificate (to which location?) and then reboot, in order for the certificate to work, but since there is assumedly no persistence to the installation medium, I will be back to square one.

Last edited by shmu26 (2022-01-13 11:06:21)

Lone_Wolf · 2022-01-13 11:36:39

The trust command comes from the p11-kit package which doesn't appear to be included on the iso[1] .

You could create your own custom install iso, but adding some pacakges seems easier .

https://wiki.archlinux.org/title/Offline_installation
Try method 1 first.

Note : if you don't have a working archlinux system around, things get more complicated.

[1] https://gitlab.archlinux.org/archlinux/ … ges.x86_64

shmu26 · 2022-01-13 11:39:16

Lone_Wolf wrote:

The trust command comes from the p11-kit package which doesn't appear to be included on the iso[1] .
You could create your own custom install iso, but adding some pacakges seems easier .
https://wiki.archlinux.org/title/Offline_installation
Try method 1 first.
Note : if you don't have a working archlinux system around, things get more complicated.

[1] https://gitlab.archlinux.org/archlinux/ … ges.x86_64

I will accept that as the answer.

nl6720 · 2022-01-13 12:45:50

Lone_Wolf wrote:

The trust command comes from the p11-kit package which doesn't appear to be included on the iso[1] .

p11-kit may not be explicitly included, but it gets pulled in as a dependency of ca-certificates-utils, gnutls and nss.

shmu26 · 2022-01-13 13:48:54

nl6720 wrote:

Lone_Wolf wrote:
The trust command comes from the p11-kit package which doesn't appear to be included on the iso[1] .
p11-kit may not be explicitly included, but it gets pulled in as a dependency of ca-certificates-utils, gnutls and nss.

So what's the best way to do this, then? I have my cert on a second flash drive, I mount the right volume on the flash drive, and then...?

Last edited by shmu26 (2022-01-13 13:50:28)

progandy · 2022-01-13 16:09:31

shmu26 wrote:

nl6720 wrote:
Lone_Wolf wrote:
The trust command comes from the p11-kit package which doesn't appear to be included on the iso[1] .
p11-kit may not be explicitly included, but it gets pulled in as a dependency of ca-certificates-utils, gnutls and nss.
So what's the best way to do this, then? I have my cert on a second flash drive, I mount the right volume on the flash drive, and then...?

and then you use "trust anchor ..." followed by "update-ca-trust". Those commands are part of the iso. (On any arch system, the ISO is one, they are a sub-dependency of pacman: base -> pacman -> curl -> ca-certificates -> ca-certificates-mozilla -> ca-certificates-utils -> p11-kit)

shmu26 · 2022-01-13 16:12:13

progandy wrote:

shmu26 wrote:
nl6720 wrote:
p11-kit may not be explicitly included, but it gets pulled in as a dependency of ca-certificates-utils, gnutls and nss.
So what's the best way to do this, then? I have my cert on a second flash drive, I mount the right volume on the flash drive, and then...?
and then you use "trust anchor ..." followed by "update-ca-trust". Those commands are part of the iso. (On any arch system, the ISO is one, they are a sub-dependency of pacman: base -> pacman -> curl -> ca-certificates -> ca-certificates-mozilla -> ca-certificates-utils -> p11-kit)

Got it, so what would be the command right before this, to copy the cert file into its proper folder?

Lone_Wolf · 2022-01-14 11:56:57

Looks like I missed that the packages.x86_64 list is fed to pacman / pacstrap and not a complete listing of every installed package available in the install environment.

man trust wrote:

--store
Store one or more anchors to the trust policy store. Specify certificate files on the command line

make sure the trust anchor command can find the certificate file and it will install it in the proper location.

Arch Linux

#1 2022-01-13 05:36:47

[SOLVED] Root certificate for installing Arch

#2 2022-01-13 05:40:38

Re: [SOLVED] Root certificate for installing Arch

#3 2022-01-13 05:42:59

Re: [SOLVED] Root certificate for installing Arch

#4 2022-01-13 09:30:43

Re: [SOLVED] Root certificate for installing Arch

#5 2022-01-13 09:42:40

Re: [SOLVED] Root certificate for installing Arch

#6 2022-01-13 10:59:03

Re: [SOLVED] Root certificate for installing Arch

#7 2022-01-13 11:05:58

Re: [SOLVED] Root certificate for installing Arch

#8 2022-01-13 11:36:39

Re: [SOLVED] Root certificate for installing Arch

#9 2022-01-13 11:39:16

Re: [SOLVED] Root certificate for installing Arch

#10 2022-01-13 12:45:50

Re: [SOLVED] Root certificate for installing Arch

#11 2022-01-13 13:48:54

Re: [SOLVED] Root certificate for installing Arch

#12 2022-01-13 16:09:31

Re: [SOLVED] Root certificate for installing Arch

#13 2022-01-13 16:12:13

Re: [SOLVED] Root certificate for installing Arch

#14 2022-01-14 11:56:57

Re: [SOLVED] Root certificate for installing Arch

Board footer