From 72226d89e917d9aa5744e54e3d75ae166e12dc36 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 17 Oct 2021 09:36:20 +0200
Subject: Docker: T3911: invalidate old LetsEncrypt CA

---
 .../hooks/live/00-update-letsencrypt-root-ca.chroot              | 7 +++++++
 docker/Dockerfile                                                | 9 +++++++++
 2 files changed, 16 insertions(+)
 create mode 100755 data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot

diff --git a/data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot b/data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot
new file mode 100755
index 00000000..d27cc12c
--- /dev/null
+++ b/data/live-build-config/hooks/live/00-update-letsencrypt-root-ca.chroot
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo I: Un-trust old LetsEncrypt root
+sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
+echo I: Update CA certificates
+update-ca-certificates
+
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 238229d0..221de785 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -72,6 +72,15 @@ RUN apt-get update && apt-get install -y \
       jq \
       grub2
 
+#
+# The LetsEncrypt root certificate expired - we need to install the new ones
+#
+RUN apt-get update && apt-get install -y ca-certificates
+# Un-trust the old certificate
+RUN sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
+# Update CA store
+RUN update-ca-certificates
+
 #
 # Setup Debian Jessie Backports repository
 #
-- 
cgit v1.2.3