Hi I ran into this bug too and confirmed that the man page is incorrect, and prepare the attached patch to fix this. It is also pushed as a merge request to Salsa:
https://salsa.debian.org/apt-team/apt/-/merge_requests/541 /Simon Gregor Jasny <[email protected]> writes: > Package: apt > Version: 3.0.1 > Severity: normal > X-Debbugs-Cc: [email protected] > > Hello, > > while testing for a regression in the CAInfo handling (bug report incoming) > I noticed that the apt-transport-http man page mentions the host-specific > config should be put into Acquire::https::CAInfo::host. > > But that does not work because it should be Acquire::https::host::CAInfo > (see also reply to #1099161). > > With Acquire::https::CRLFile::host there seems to be another occurrence in > the manpage (but I cannot say if that's correct or incorrect). > > Thanks, > Gregor > > -- Package-specific info: > > -- (no /etc/apt/preferences present) -- > > > -- (no /etc/apt/preferences.d/* present) -- > > > -- /etc/apt/sources.list -- > > deb http://ftp.de.debian.org/debian/ sid main > deb-src http://ftp.de.debian.org/debian/ sid main > > # This system was installed using small removable media > # (e.g. netinst, live or single CD). The matching "deb cdrom" > # entries were disabled at the end of the installation process. > # For information about how to configure apt package sources, > # see the sources.list(5) manual. > > -- (no /etc/apt/sources.list.d/* present) -- > > > -- System Information: > Debian Release: 13.0 > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: arm64 (aarch64) > > Kernel: Linux 6.12.27-arm64 (SMP w/4 CPU threads) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages apt depends on: > ii adduser 3.152 > ii base-passwd 3.6.7 > ii debian-archive-keyring 2025.1 > ii libapt-pkg7.0 3.0.1 > ii libc6 2.41-8 > ii libgcc-s1 14.2.0-19 > ii libseccomp2 2.6.0-2 > ii libssl3t64 3.5.0-1 > ii libstdc++6 14.2.0-19 > ii libsystemd0 257.5-2 > ii sqv 1.3.0-2 > > Versions of packages apt recommends: > ii ca-certificates 20250419 > > Versions of packages apt suggests: > pn apt-doc <none> > pn aptitude | synaptic | wajig <none> > ii dpkg-dev 1.22.18 > ii gnupg 2.4.7-19 > pn powermgmt-base <none> > > -- no debconf information >
From a6cad5fb42c1243f73a3433c6fd91a85d75fc105 Mon Sep 17 00:00:00 2001 From: Simon Josefsson <[email protected]> Date: Sun, 4 Jan 2026 21:05:17 +0100 Subject: [PATCH] Fix host-specific Acquire::https CAInfo/CRLFile example (Closes: #1112123) The proper syntax for a host-specific parameters are: Acquire::https::deb.debian.org::CAInfo "/path/to/cert.pem"; Acquire::https::deb.debian.org::CRLFile "/path/to/cert.pem"; --- doc/apt-transport-https.1.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/apt-transport-https.1.xml b/doc/apt-transport-https.1.xml index 64d473cac..732320113 100644 --- a/doc/apt-transport-https.1.xml +++ b/doc/apt-transport-https.1.xml @@ -54,7 +54,7 @@ for <literal>Acquire::http</literal>. This manpage will only document the option <package>ca-certificates</package> package) are used for the verification of the server certificate. An alternative certificate authority (CA) can be configured with the <literal>Acquire::https::CAInfo</literal> option and its -host-specific option <literal>Acquire::https::CAInfo::<replaceable>host</replaceable></literal>. +host-specific option <literal>Acquire::https::<replaceable>host</replaceable>::CAInfo</literal>. The CAInfo option specifies a file made up of CA certificates (in PEM format) concatenated together to create the chain which APT should use to verify the path from your self-signed root certificate. If the remote server provides the @@ -63,7 +63,7 @@ certificate. Otherwise, the whole chain is required. If you need to support multiple authorities, the only way is to concatenate everything.</para> <para>A custom certificate revocation list (CRL) can be configured with the options <literal>Acquire::https::CRLFile</literal> and -<literal>Acquire::https::CRLFile::<replaceable>host</replaceable></literal>. +<literal>Acquire::https::<replaceable>host</replaceable>::CRLFile</literal>. As with the previous option, a file in PEM format needs to be specified.</para> </refsect2> -- 2.52.0
signature.asc
Description: PGP signature
