From 0591d3cc1cedf981423f3885d956d93dd1c4f34e Mon Sep 17 00:00:00 2001
From: Valentin Lab <valentin.lab@kalysto.org>
Date: Thu, 7 Oct 2021 12:40:17 +0200
Subject: [PATCH] fix: [docker-host] support fixing root SSL certificate for
 older hosts

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
---
 precise/base-0k/hooks/install.d/00-base.sh | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/precise/base-0k/hooks/install.d/00-base.sh b/precise/base-0k/hooks/install.d/00-base.sh
index e4fe6af..8446daa 100755
--- a/precise/base-0k/hooks/install.d/00-base.sh
+++ b/precise/base-0k/hooks/install.d/00-base.sh
@@ -9,8 +9,25 @@ set +eux
 ## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/
 ## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
 
+modified_certificate=
+mkdir -p /usr/local/share/ca-certificates/custom
+for certfile_name in isrgrootx1:ISRG_Root_X1 isrg-root-x2 lets-encrypt-r3; do
+    certfile=${certfile_name%%:*}
+    name=${certfile_name#*:}
+    echo "Checking $certfile for $name"
+    if ! [ -e "/usr/local/share/ca-certificates/custom/$certfile".crt ] &&
+       ! [ -e "/etc/ssl/certs/$name.pem" ]; then
+        wget --no-check-certificate https://letsencrypt.org/certs/"$certfile".pem \
+             -O "/usr/local/share/ca-certificates/custom/$certfile".crt
+        modified_certificate=1
+    fi
+done
+
 if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then
-    sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf &&
+    sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf
+fi
+
+if [ -n "$modified_certificate" ]; then
         update-ca-certificates
 fi