From 8fd483810a0e342231a15f7c3a975a3d9cc6db5d Mon Sep 17 00:00:00 2001
From: Valentin Lab <valentin.lab@kalysto.org>
Date: Fri, 1 Oct 2021 18:24:02 +0200
Subject: [PATCH] fix: [docker-host] fix root cert list if necessary to remove
 expired "DST_Root_CA-X3" cert.

Otherwise all SSL usage (``apt-get update``, ``curl https...``)
towards servers using certificate that is endorsed by this root
certificate, will fail. This includes Let's encrypt 4 Billions
certificates.

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
---
 precise/base-0k/hooks/install.d/00-base.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/precise/base-0k/hooks/install.d/00-base.sh b/precise/base-0k/hooks/install.d/00-base.sh
index b3fb49fb..e4fe6afe 100755
--- a/precise/base-0k/hooks/install.d/00-base.sh
+++ b/precise/base-0k/hooks/install.d/00-base.sh
@@ -2,6 +2,20 @@
 
 set +eux
 
+
+## Certificate DST_Root_CA-X3 expired, it needs to be removed
+## from list of available certificates. Debian <10 have the issue.
+##
+## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/
+## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
+
+if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then
+    sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf &&
+        update-ca-certificates
+fi
+
+## We can now do the ``apt-get update`` safely...
+
 apt-get update
 apt-get -y install bash-completion wget bzip2 git-core \
         less tmux mosh \
@@ -20,3 +34,6 @@ case $(lsb_release -is) in
         locale-gen
         ;;
 esac
+
+
+