Trust copied certificates

This resolves "unacceptable TLS certificate" errors raised by some of the utilities using libsoup (e.g., flatpak). Tested by pulp/pulp_container#1613. [noissue]
lubosmj · May 17, 2024 · c63299f · c63299f
1 parent a8209e4
commit c63299f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/templates/github/.github/workflows/scripts/install.sh.j2 b/templates/github/.github/workflows/scripts/install.sh.j2
@@ -215,6 +215,7 @@ sudo chown -R 700:700 ~/.config
 echo ::group::SSL
 # Copy pulp CA
 sudo docker cp pulp:/etc/pulp/certs/pulp_webserver.crt /usr/local/share/ca-certificates/pulp_webserver.crt
+sudo docker exec -u root pulp trust anchor /etc/pulp/certs/pulp_webserver.crt
 
 # Hack: adding pulp CA to certifi.where()
 CERTIFI=$(python -c 'import certifi; print(certifi.where())')
@@ -245,6 +246,7 @@ if [[ "$TEST" = "azure" ]]; then
   cat /usr/local/share/ca-certificates/azcert.crt >> $AZCERTIFI
   cat /usr/local/share/ca-certificates/azcert.crt | cmd_stdin_prefix tee -a "$PULPCERTIFI" > /dev/null
   cat /usr/local/share/ca-certificates/azcert.crt | cmd_stdin_prefix tee -a /etc/pki/tls/cert.pem > /dev/null
+  cmd_stdin_prefix sudo trust anchor /etc/pki/tls/cert.pem
   {%- endif %}
   AZURE_STORAGE_CONNECTION_STRING='DefaultEndpointsProtocol={{ pulp_scheme }};AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint={{ pulp_scheme }}://ci-azurite:10000/devstoreaccount1;'
   az storage container create --name pulp-test --connection-string $AZURE_STORAGE_CONNECTION_STRING