From 2385601ed528f08f37c6a6441a377e7d57a71983 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 12 Dec 2025 19:24:12 +0100 Subject: [PATCH] Persist CA bundle configuration on CentOS for Nix and HTTPS tools Move CA bundle detection from the Docker entrypoint to CentOS dependencies and persist it system-wide. This ensures Nix, Git, curl, and Python HTTPS access works in virgin environments by configuring `/etc/profile.d` and `/etc/nix/nix.conf`. Removes runtime-only CA exports from the container entrypoint and makes the setup reproducible and distro-correct. https://chatgpt.com/share/693c5ddf-3260-800f-ac94-38c635dba307 --- scripts/docker/entry.sh | 47 ----------------- scripts/installation/centos/dependencies.sh | 56 ++++++++++++++++++++- 2 files changed, 55 insertions(+), 48 deletions(-) diff --git a/scripts/docker/entry.sh b/scripts/docker/entry.sh index 196ce42..5c31bcf 100755 --- a/scripts/docker/entry.sh +++ b/scripts/docker/entry.sh @@ -1,53 +1,6 @@ #!/usr/bin/env bash set -euo pipefail -# --------------------------------------------------------------------------- -# Detect and export a valid CA bundle so Nix, Git, curl and Python tooling -# can successfully perform HTTPS requests on all distros (Debian, Ubuntu, -# Fedora, RHEL, CentOS, etc.) -# --------------------------------------------------------------------------- -detect_ca_bundle() { - # Common CA bundle locations across major Linux distributions - local candidates=( - /etc/ssl/certs/ca-certificates.crt # Debian/Ubuntu - /etc/ssl/cert.pem # Some distros - /etc/pki/tls/certs/ca-bundle.crt # Fedora/RHEL/CentOS - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # CentOS/RHEL extracted bundle - /etc/ssl/ca-bundle.pem # Generic fallback - ) - - for path in "${candidates[@]}"; do - if [[ -f "$path" ]]; then - echo "$path" - return 0 - fi - done - - return 1 -} - -# Use existing NIX_SSL_CERT_FILE if provided, otherwise auto-detect -CA_BUNDLE="${NIX_SSL_CERT_FILE:-}" - -if [[ -z "${CA_BUNDLE}" ]]; then - CA_BUNDLE="$(detect_ca_bundle || true)" -fi - -if [[ -n "${CA_BUNDLE}" ]]; then - # Export for Nix (critical) - export NIX_SSL_CERT_FILE="${CA_BUNDLE}" - - # Export for Git, Python requests, curl, etc. - export SSL_CERT_FILE="${CA_BUNDLE}" - export REQUESTS_CA_BUNDLE="${CA_BUNDLE}" - export GIT_SSL_CAINFO="${CA_BUNDLE}" - - echo "[docker] Using CA bundle: ${CA_BUNDLE}" -else - echo "[docker] WARNING: No CA certificate bundle found." - echo "[docker] HTTPS access for Nix flakes and other tools may fail." -fi - SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" echo "[docker] Starting package-manager container" diff --git a/scripts/installation/centos/dependencies.sh b/scripts/installation/centos/dependencies.sh index 9778ee8..98db129 100755 --- a/scripts/installation/centos/dependencies.sh +++ b/scripts/installation/centos/dependencies.sh @@ -13,10 +13,64 @@ dnf -y install \ bash \ curl-minimal \ ca-certificates \ - python3.11 \ + python3 \ sudo \ xz dnf clean all +# ----------------------------------------------------------------------------- +# Persist CA bundle configuration system-wide (virgin-compatible) +# ----------------------------------------------------------------------------- +detect_ca_bundle() { + local candidates=( + /etc/pki/tls/certs/ca-bundle.crt + /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + /etc/ssl/certs/ca-certificates.crt + /etc/ssl/cert.pem + /etc/ssl/ca-bundle.pem + ) + + for path in "${candidates[@]}"; do + if [[ -f "$path" ]]; then + echo "$path" + return 0 + fi + done + + return 1 +} + +CA_BUNDLE="$(detect_ca_bundle || true)" + +if [[ -n "${CA_BUNDLE}" ]]; then + echo "[centos/dependencies] Persisting CA bundle: ${CA_BUNDLE}" + + # 1) Make it available for login shells + cat >/etc/profile.d/pkgmgr-ca.sh <