Docker: T3911: invalidate old LetsEncrypt CA

2025-10-01 20:28:40 +02:00 · 2021-10-17 09:36:20 +02:00 · 2021-10-17 09:36:20 +02:00 · 72226d89e9
commit 72226d89e9
parent c0dc0f5578
2 changed files with 16 additions and 0 deletions
--- a/data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot
+++ b/data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot
@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo I: Un-trust old LetsEncrypt root
+sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
+echo I: Update CA certificates
+update-ca-certificates
+
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -72,6 +72,15 @@ RUN apt-get update && apt-get install -y \
      jq \
      grub2

+#
+# The LetsEncrypt root certificate expired - we need to install the new ones
+#
+RUN apt-get update && apt-get install -y ca-certificates
+# Un-trust the old certificate
+RUN sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
+# Update CA store
+RUN update-ca-certificates
+
 #
 # Setup Debian Jessie Backports repository
 #