vm-img: fix partially Let's Encrypt certificate on old OS due to expired root CA

2f87888d · Julien Muchembled · 59dff29d · 2f87888d
Commit 2f87888d authored Dec 03, 2021 by Julien Muchembled
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

component/vm-img/debian.cfg component/vm-img/debian.cfg +11 -0

No files found.
--- a/component/vm-img/debian.cfg
+++ b/component/vm-img/debian.cfg
@@ -32,6 +32,17 @@ late-command =
 # a DNS proxy on both IPv4 and IPv6 without translating queries to what the
 # host supports.
  dpkg -P rdnssd
+# Fix partially Let's Encrypt certificate on old OS due to expired root CA.
+# This is enough for Python but not wget.
+  dpkg --compare-versions 20200601~ le `dpkg-query -f '$${Version}' -W ca-certificates 2>/dev/null ||echo 1:0` || (
+    set ca-certificates_20200601~deb9u2_all.deb
+    wget http://security.debian.org/debian-security/pool/updates/main/c/ca-certificates/$1
+    echo 6cb3ce4329229d71a6f06b9f13c710457c05a469012ea31853ac300873d5a3e1 $1 |sha256sum -c
+    dpkg -i $1
+    rm $1
+    cd /etc/ssl/certs
+    rm DST_Root_CA_X3.pem 2e5ac55d.0 12d55845.0
+  )
  mount |grep -q 'on / .*\bdiscard\b' || ! type fstrim || {
    apt-get clean
    sync