#!/bin/sh unset def_bundle def_bundle_fp def_bundle='/etc/ssl/certs/ca-certificates.crt' def_bundle_fp="${def_bundle}.fp" while : ; do if [ -n "${SSL_CERT_FILE:-}" ] ; then log_always "NOT merging CA certificates (if any): SSL_CERT_FILE is already set (=${SSL_CERT_FILE})" break fi [ -d "${target_root}/tls/ca" ] || break unset w w=$(mktemp -d) || break find "${target_root}/tls/ca/" -follow -type f | sort -V > "$w/all.list" [ -s "$w/all.list" ] || break ## entering processing section touch "$w/processing" unset orig_ca_file while read -r orig_ca_file ; do [ -n "${orig_ca_file}" ] || continue openssl-cert-auto-pem.sh "${orig_ca_file}" done < "$w/all.list" > "$w/all.pem" unset orig_ca_file [ -s "$w/all.pem" ] || break openssl-cert-auto-pem.sh "$w/all.pem" "$w/new.pem" "$w/new.fp" "$w/new.off" [ -s "$w/new.pem" ] || break [ -s "$w/new.fp" ] || break [ -s "$w/new.off" ] || break rm -f "$w/all.pem" ## leaving processing section rm -f "$w/processing" unset def_bundle_bind_mount def_bundle_bind_mount=1 while : ; do unset devno_root devno_bundle devno_bundle_fp devno_root=$(env stat -c '%d' / ) [ -f "${def_bundle}" ] || break devno_bundle=$(env stat -L -c '%d' "${def_bundle}") [ "${devno_root}" = "${devno_bundle}" ] || break [ -f "${def_bundle_fp}" ] || break devno_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}") [ "${devno_root}" = "${devno_bundle_fp}" ] || break def_bundle_bind_mount=0 break ; done unset devno_root devno_bundle devno_bundle_fp if [ "${def_bundle_bind_mount}" = 1 ] ; then log_always "detected bind-mount inside ${def_bundle%/*}/" log_always "this is merely misuse!" if [ -s "${def_bundle}" ] ; then openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp" fi else ln -s "${def_bundle}" "$w/cacert.pem" ln -s "${def_bundle_fp}" "$w/cacert.fp" fi unset with_def_bundle with_def_bundle=0 while : ; do [ -s "$w/cacert.pem" ] || break [ -s "$w/cacert.fp" ] || break with_def_bundle=1 break ; done if [ "${with_def_bundle}" = 1 ] ; then grep -Fxnv -f "$w/cacert.fp" "$w/new.fp" | cut -d : -f 1 > "$w/diff.ln" [ -s "$w/diff.ln" ] || break else : > "$w/diff.ln" fi : > "${volume_root}/ca.pem" if [ "${with_def_bundle}" = 1 ] ; then cat < "$w/cacert.pem" > "${volume_root}/ca.pem" else log_always "NOT using ${def_bundle} - empty or missing" fi unset n while read -r n ; do [ -n "$n" ] || continue off=$(sed -ne "${n}p" "$w/new.off") [ -n "${off}" ] || continue sed -ne "${off}p" "$w/new.pem" done < "$w/diff.ln" >> "${volume_root}/ca.pem" unset n off set -a SSL_CERT_FILE="${volume_root}/ca.pem" ## merely a quirk SSL_CERT_DIR="${empty_dir}" set +a break ; done unset def_bundle_fp def_bundle_bind_mount with_def_bundle while ! [ -f "${volume_root}/ca.pem" ] ; do [ -s "${def_bundle}" ] || break ln -s "${def_bundle}" "${volume_root}/ca.pem" break ; done unset def_bundle [ -f "${volume_root}/ca.pem" ] || : > "${volume_root}/ca.pem" if [ -n "${w:-}" ] ; then if [ -f "$w/processing" ] ; then rm -f "$w/processing" log_always "unable to merge CA certificates (see below for details):" log_always "directory listing:" env -C "$w" ls -lA >&2 log_always "directory listing (following symlinks):" env -C "$w" ls -L -lA >&2 log_always "consider reading source code and contacting developers" fi rm -rf "$w" fi unset w