From 6facd8227b93bd1c18595ff342c586f0de296e32 Mon Sep 17 00:00:00 2001 From: forbes Date: Thu, 29 Jan 2026 22:24:39 -0600 Subject: [PATCH] Fix SSL: use system CA certificates in wrapper scripts The bundled Python's openssl has a hardcoded cafile path from the build environment (/var/lib/gitea-runner/.cache/...) which does not exist on the target system. This causes SSL certificate verification to fail for internal services like silo.kindred.internal that use the FreeIPA CA. Set SSL_CERT_FILE to the system CA bundle (/etc/ssl/certs/ca-certificates.crt on Debian/Ubuntu or /etc/pki/tls/certs/ca-bundle.crt on RHEL) in both the kindred-create and kindred-create-cmd wrapper scripts. This allows the bundled Python to verify certificates signed by any CA in the system trust store, including the FreeIPA CA. --- package/debian/build-deb.sh | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/package/debian/build-deb.sh b/package/debian/build-deb.sh index 5c8e8d304f..01f40c2bf4 100755 --- a/package/debian/build-deb.sh +++ b/package/debian/build-deb.sh @@ -105,12 +105,17 @@ export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/ export XDG_DATA_DIRS="${KINDRED_CREATE_HOME}/share:${XDG_DATA_DIRS:-/usr/share}" export GI_TYPELIB_PATH="${KINDRED_CREATE_HOME}/lib/girepository-1.0:${GI_TYPELIB_PATH:-}" -# XKB keyboard configuration - use bundled data to avoid hardcoded CI paths in libxkbcommon -export XKB_CONFIG_ROOT="${KINDRED_CREATE_HOME}/share/X11/xkb" - -# Fontconfig - use bundled configuration -export FONTCONFIG_FILE="${KINDRED_CREATE_HOME}/etc/fonts/fonts.conf" -export FONTCONFIG_PATH="${KINDRED_CREATE_HOME}/etc/fonts" +# Use system CA certificates so bundled Python trusts internal CAs (e.g. FreeIPA) +# The bundled openssl has a hardcoded cafile from the build environment which +# does not exist on the target system. +if [ -z "${SSL_CERT_FILE:-}" ]; then + for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do + if [ -f "$ca" ]; then + export SSL_CERT_FILE="$ca" + break + fi + done +fi # Try different binary names (FreeCAD or freecad depending on build) if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCAD" ]; then @@ -131,6 +136,16 @@ export LD_LIBRARY_PATH="${KINDRED_CREATE_HOME}/lib:${LD_LIBRARY_PATH:-}" export PYTHONHOME="${KINDRED_CREATE_HOME}" export PYTHONPATH="${KINDRED_CREATE_HOME}/lib/python3.11:${KINDRED_CREATE_HOME}/lib/python3.11/site-packages:${PYTHONPATH:-}" +# Use system CA certificates (see kindred-create wrapper for details) +if [ -z "${SSL_CERT_FILE:-}" ]; then + for ca in /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt; do + if [ -f "$ca" ]; then + export SSL_CERT_FILE="$ca" + break + fi + done +fi + # Try different binary names (FreeCADCmd or freecadcmd depending on build) if [ -x "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" ]; then exec "${KINDRED_CREATE_HOME}/bin/FreeCADCmd" "$@"