blob: e99f562f729ed1bcc71033769eae90e02ca8c833 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# Install Let's Encrypt intermediate certificates (E8/ECDSA, R11/RSA).
#
# Only active when 'virtualization' is in DISTRO_FEATURES.
#
# Some container registries (e.g., registry.yocto.io) don't send the
# full certificate chain. Go's TLS library (used by Docker, skopeo,
# podman) cannot verify the server certificate without the intermediate,
# even though the root CAs (ISRG Root X1/X2) are present.
#
# These intermediates are fetched at build time and installed alongside
# the standard CA certificates. update-ca-certificates (run in
# pkg_postinst) incorporates them into the system CA bundle.
#
# Source: https://letsencrypt.org/certificates/
SRC_URI += "https://letsencrypt.org/certs/2024/e8.pem;name=le-e8;unpack=0 \
https://letsencrypt.org/certs/2024/r11.pem;name=le-r11;unpack=0"
SRC_URI[le-e8.sha256sum] = "f2c0dde62e2c90e6332fa55af79ed1a0c41329ad03ecf812bd89817a2fc340a9"
SRC_URI[le-r11.sha256sum] = "6c06a45850f93aa6e31f9388f956379d8b4fb7ffca5211b9bab4ad159bdfb7b9"
do_install:append () {
for pem in ${UNPACKDIR}/e8.pem ${UNPACKDIR}/r11.pem; do
if [ -f "$pem" ]; then
install -d ${D}${datadir}/ca-certificates/letsencrypt
# ca-certificates expects .crt extension
base=$(basename "$pem" .pem)
install -m 0644 "$pem" ${D}${datadir}/ca-certificates/letsencrypt/lets-encrypt-${base}.crt
fi
done
# Add to ca-certificates.conf so update-ca-certificates includes them
for crt in ${D}${datadir}/ca-certificates/letsencrypt/*.crt; do
[ -f "$crt" ] || continue
echo "letsencrypt/$(basename $crt)" >> ${D}${sysconfdir}/ca-certificates.conf
done
}
|
