Add an option to fix Let's Encrypt CA certificates for old distros (#450)

This commit is contained in:
Michele Locati 2021-10-07 23:40:39 +02:00 committed by GitHub
parent f5a8f0fb94
commit 73545ba3e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 2 deletions

View File

@ -298,8 +298,9 @@ Here's the list of all the supported environment variables:
| Extension | Environment variable | Description |
|---|---|---|
| | `IPE_FIX_CACERTS=1` | Old Alpine Linux (3.7 and 3.8) and Debian (Jessie and Stretch) versions don't work anymore with websites whose HTTPS certificate has been signed by Let's Encrypt ([more details here](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/).<br /> By setting this environment variable, `install-php-extensions` will fix this issue |
| | `IPE_KEEP_SYSPKG_CACHE=1` | By default the script will clear the apt/apk/pear cache in order to save disk space. You can disable it by setting this environment variable |
| lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed |
| lzf | `IPE_LZF_BETTERCOMPRESSION=1` | By default `install-php-extensions` compiles the `lzf` extension to prefer speed over size; you can use this environment variable to compile it preferring size over speed |
| event | `IPE_EVENT_NAMESPACE=`... | By default the `event` classes are defined in the root namespace. You can use this environment variable to specify a custom namespace |
| gd | IPE_GD_WITHOUTAVIF=1 | Since PHP 8.1, gd supports the AVIF format. Enabling it requires compiling libaom/libdav1d/libyuv/libavif, which is time-consuming. You can disable AVIF support by setting this environment variable |

View File

@ -2991,6 +2991,48 @@ removeStringFromList() {
printf '%s' "$removeStringFromList_result"
}
# Replace the list of trusted CA with toe ones provided by cURL.
# (controlled by IPE_FIX_CACERTS is set)
fixCACerts() {
case "${IPE_FIX_CACERTS:-}" in
1 | y* | Y*) ;;
*)
return
;;
esac
case "$DISTRO_VERSION" in
alpine@3.7 | alpine@3.8) ;;
debian@8 | debian@9)
if ! grep -q 'mozilla/ISRG_Root_X1.crt' /etc/ca-certificates.conf && grep -q 'mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf; then
fixCACerts_mustUpdate=1
if test -d /var/lib/apt/lists; then
for fixCACerts_item in $(ls -1 /var/lib/apt/lists); do
case "$fixCACerts_item" in
partial | lock) ;;
*)
fixCACerts_mustUpdate=0
break
;;
esac
done
fi
if test $fixCACerts_mustUpdate -eq 1; then
DEBIAN_FRONTEND=noninteractive apt-get update -q
fi
apt-get install -qqy --no-install-recommends ca-certificates
fi
;;
*)
# No needs to update the CA list
return
;;
esac
if grep -Eq '^mozilla/ISRG_Root_X1\.crt$' /etc/ca-certificates.conf && grep -Eq '^mozilla/DST_Root_CA_X3\.crt$' /etc/ca-certificates.conf; then
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
update-ca-certificates -f
fi
}
# Cleanup everything at the end of the execution
cleanup() {
if test -n "$UNNEEDED_PACKAGE_LINKS"; then
@ -3068,6 +3110,8 @@ if test -z "$PHP_MODULES_TO_INSTALL"; then
exit 0
fi
fixCACerts
sortModulesToInstall
docker-php-source extract

View File

@ -317,7 +317,7 @@ testExtensionFor() {
printf ' - Docker image: %s\n' "$testExtensionFor_Image"
testExtensionFor_out="$(mktemp)"
testExtensionFor_start=$(date +%s)
if $(docker run --rm --volume "$CI_BUILD_DIR:/app" --env CI=true --workdir /app "$testExtensionFor_Image" sh -c "./install-php-extensions $1 && php ./scripts/check-installed-extension.php $1" >"$testExtensionFor_out" 2>&1); then
if $(docker run --rm --volume "$CI_BUILD_DIR:/app" --env CI=true --env IPE_FIX_CACERTS=1 --workdir /app "$testExtensionFor_Image" sh -c "./install-php-extensions $1 && php ./scripts/check-installed-extension.php $1" >"$testExtensionFor_out" 2>&1); then
testExtensionFor_end=$(date +%s)
testExtensionFor_delta=$(expr $testExtensionFor_end - $testExtensionFor_start)
rm -rf "$testExtensionFor_out"