From 8fd483810a0e342231a15f7c3a975a3d9cc6db5d Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Fri, 1 Oct 2021 18:24:02 +0200 Subject: [PATCH] fix: [docker-host] fix root cert list if necessary to remove expired "DST_Root_CA-X3" cert. Otherwise all SSL usage (``apt-get update``, ``curl https...``) towards servers using certificate that is endorsed by this root certificate, will fail. This includes Let's encrypt 4 Billions certificates. Signed-off-by: Valentin Lab --- precise/base-0k/hooks/install.d/00-base.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/precise/base-0k/hooks/install.d/00-base.sh b/precise/base-0k/hooks/install.d/00-base.sh index b3fb49f..e4fe6af 100755 --- a/precise/base-0k/hooks/install.d/00-base.sh +++ b/precise/base-0k/hooks/install.d/00-base.sh @@ -2,6 +2,20 @@ set +eux + +## Certificate DST_Root_CA-X3 expired, it needs to be removed +## from list of available certificates. Debian <10 have the issue. +## +## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/ +## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1 + +if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then + sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf && + update-ca-certificates +fi + +## We can now do the ``apt-get update`` safely... + apt-get update apt-get -y install bash-completion wget bzip2 git-core \ less tmux mosh \ @@ -20,3 +34,6 @@ case $(lsb_release -is) in locale-gen ;; esac + + +