kindred/create
1
1
Fork 0
Code Issues 53 Pull Requests Actions Packages Projects 9 Releases 2 Wiki Activity

Fix SSL: use system CA certificates in wrapper scripts

Browse Source 
The bundled Python's openssl has a hardcoded cafile path from the build
environment (/var/lib/gitea-runner/.cache/...) which does not exist on
the target system. This causes SSL certificate verification to fail for
internal services like silo.kindred.internal that use the FreeIPA CA.

Set SSL_CERT_FILE to the system CA bundle (/etc/ssl/certs/ca-certificates.crt
on Debian/Ubuntu or /etc/pki/tls/certs/ca-bundle.crt on RHEL) in both
the kindred-create and kindred-create-cmd wrapper scripts. This allows
the bundled Python to verify certificates signed by any CA in the
system trust store, including the FreeIPA CA.
This commit is contained in:
forbes
2026-01-29 22:24:39 -06:00
parent dbac82e731
commit 6facd8227b
1 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
package/debian/build-deb.sh
View File

@@ -105,12 +105,17 @@ export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/
export XDG_DATA_DIRS="${KINDRED_CREATE_HOME}/share:${XDG_DATA_DIRS:-/usr/share}"
export GI_TYPELIB_PATH="${KINDRED_CREATE_HOME}/lib/girepository-1.0:${GI_TYPELIB_PATH:-}"
# XKB keyboard configuration - use bundled data to avoid hardcoded CI paths in libxkbcommon
export XKB_CONFIG_ROOT="${KINDRED_CREATE_HOME}/share/X11/xkb"
# Fontconfig - use bundled configuration
export FONTCONFIG_FILE="${KINDRED_CREATE_HOME}/etc/fonts/fonts.conf"
export FONTCONFIG_PATH="${KINDRED_CREATE_HOME}/etc/fonts"
# Use system CA certificates so bundled Python trusts internal CAs (e.g. FreeIPA)
# The bundled openssl has a hardcoded cafile from the build environment which
# does not exist on the target system.
if [ -z "${SSL_CERT_FILE:-}" ]; then
for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do
if [ -f "$ca" ]; then
export SSL_CERT_FILE="$ca"
break
fi
done
fi
# Try different binary names (FreeCAD or freecad depending on build)
if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCAD" ]; then
@@ -131,6 +136,16 @@ export LD_LIBRARY_PATH="${KINDRED_CREATE_HOME}/lib:${LD_LIBRARY_PATH:-}"
export PYTHONHOME="${KINDRED_CREATE_HOME}"
export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/lib/python3.11/site-packages:${PYTHONPATH:-}"
# Use system CA certificates (see kindred-create wrapper for details)
if [ -z "${SSL_CERT_FILE:-}" ]; then
for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do
if [ -f "$ca" ]; then
export SSL_CERT_FILE="$ca"
break
fi
done
fi
# Try different binary names (FreeCADCmd or freecadcmd depending on build)
if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" ]; then
exec "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" "$@"