From 0591d3cc1cedf981423f3885d956d93dd1c4f34e Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Thu, 7 Oct 2021 12:40:17 +0200 Subject: [PATCH] fix: [docker-host] support fixing root SSL certificate for older hosts Signed-off-by: Valentin Lab --- precise/base-0k/hooks/install.d/00-base.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/precise/base-0k/hooks/install.d/00-base.sh b/precise/base-0k/hooks/install.d/00-base.sh index e4fe6af..8446daa 100755 --- a/precise/base-0k/hooks/install.d/00-base.sh +++ b/precise/base-0k/hooks/install.d/00-base.sh @@ -9,8 +9,25 @@ set +eux ## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/ ## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1 +modified_certificate= +mkdir -p /usr/local/share/ca-certificates/custom +for certfile_name in isrgrootx1:ISRG_Root_X1 isrg-root-x2 lets-encrypt-r3; do + certfile=${certfile_name%%:*} + name=${certfile_name#*:} + echo "Checking $certfile for $name" + if ! [ -e "/usr/local/share/ca-certificates/custom/$certfile".crt ] && + ! [ -e "/etc/ssl/certs/$name.pem" ]; then + wget --no-check-certificate https://letsencrypt.org/certs/"$certfile".pem \ + -O "/usr/local/share/ca-certificates/custom/$certfile".crt + modified_certificate=1 + fi +done + if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then - sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf && + sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf +fi + +if [ -n "$modified_certificate" ]; then update-ca-certificates fi