fix: [docker-host] fix root cert list if necessary to remove expired "DST_Root_CA-X3" cert.

Otherwise all SSL usage (``apt-get update``, ``curl https...``) towards servers using certificate that is endorsed by this root certificate, will fail. This includes Let's encrypt 4 Billions certificates. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
3 years ago · 8fd483810a
1 changed files with 17 additions and 0 deletions
--- a/precise/base-0k/hooks/install.d/00-base.sh
+++ b/precise/base-0k/hooks/install.d/00-base.sh
@ -2,6 +2,20 @@

 set +eux

+
+## Certificate DST_Root_CA-X3 expired, it needs to be removed
+## from list of available certificates. Debian <10 have the issue.
+##
+## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/
+## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
+
+if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then
+    sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf &&
+        update-ca-certificates
+fi
+
+## We can now do the ``apt-get update`` safely...
+
 apt-get update
 apt-get -y install bash-completion wget bzip2 git-core \
        less tmux mosh \
@ -20,3 +34,6 @@ case $(lsb_release -is) in
        locale-gen
        ;;
 esac
+
+
+