Browse Source

fix: [docker-host] fix root cert list if necessary to remove expired "DST_Root_CA-X3" cert.

Otherwise all SSL usage (``apt-get update``, ``curl https...``)
towards servers using certificate that is endorsed by this root
certificate, will fail. This includes Let's encrypt 4 Billions
certificates.

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
pull/1/head
Valentin Lab 3 years ago
parent
commit
8fd483810a
  1. 17
      precise/base-0k/hooks/install.d/00-base.sh

17
precise/base-0k/hooks/install.d/00-base.sh

@ -2,6 +2,20 @@
set +eux set +eux
## Certificate DST_Root_CA-X3 expired, it needs to be removed
## from list of available certificates. Debian <10 have the issue.
##
## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/
## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then
sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf &&
update-ca-certificates
fi
## We can now do the ``apt-get update`` safely...
apt-get update apt-get update
apt-get -y install bash-completion wget bzip2 git-core \ apt-get -y install bash-completion wget bzip2 git-core \
less tmux mosh \ less tmux mosh \
@ -20,3 +34,6 @@ case $(lsb_release -is) in
locale-gen locale-gen
;; ;;
esac esac
Loading…
Cancel
Save