From 9f719a8c427f639e1f0ea6725073be3081dd008e Mon Sep 17 00:00:00 2001
From: Mike Milner <mike.milner@canonical.com>
Date: Fri, 24 Feb 2012 15:16:56 -0400
Subject: If we don't trust the default certs, don't add new certs from
 ca-certificates package upgrades.

---
 cloudinit/CloudConfig/cc_ca_certs.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'cloudinit')

diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py
index c18821f9..c7bacb78 100644
--- a/cloudinit/CloudConfig/cc_ca_certs.py
+++ b/cloudinit/CloudConfig/cc_ca_certs.py
@@ -54,6 +54,9 @@ def remove_default_ca_certs():
     delete_dir_contents(CA_CERT_PATH)
     delete_dir_contents(CA_CERT_SYSTEM_PATH)
     write_file(CA_CERT_CONFIG, "", mode=0644)
+    check_call([
+        "echo 'ca-certificates ca-certificates/trust_new_crts  select no' | "
+        "debconf-set-selections"], shell=True)
 
 
 def handle(_name, cfg, _cloud, log, _args):
-- 
cgit v1.2.3