fix: enhance CA certificate handling in entrypoint script (#40933)

Updated the entrypoint script to improve the detection and processing of custom CA certificates. The script now correctly identifies both regular files and symbolic links with a '.crt' extension, ensuring that all relevant certificates are included in the keystore. This change enhances the robustness of the CA certificate setup process. ## Description > [!TIP] > _Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team)._ > > _Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR._ Fixes #`Issue Number` _or_ Fixes `Issue URL` > [!WARNING] > _If no issue exists, please create an issue first, and check with the maintainers if the issue is valid._ ## Automation /ok-to-test tags="" ### 🔍 Cypress test results  > [!WARNING] > Tests have not run on the HEAD 534af3a44c572e8ec63cb6de9dc3d60e88f17f53 yet > <hr>Wed, 02 Jul 2025 09:06:55 UTC  ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [ ] No  ## Summary by CodeRabbit - **Bug Fixes** - Improved detection and import of custom CA certificates by including support for symbolic links, ensuring all relevant `.crt` files are recognized and imported. - Enhanced handling of certificate bundles by splitting and importing individual certificates for better compatibility.
2025-07-03 14:44:21 +05:30 · 2025-07-03 14:44:21 +05:30 · ea7bfd09d7
commit ea7bfd09d7
parent 3421f8bfd1
1 changed files with 24 additions and 5 deletions
--- a/deploy/docker/fs/opt/appsmith/entrypoint.sh
+++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh
@ -359,14 +359,17 @@ setup-custom-ca-certificates() (
  local stacks_ca_certs_path="$stacks_path/ca-certs"
  local store="$TMP/cacerts"
  local opts_file="$TMP/java-cacerts-opts"
+  local temp_cert_dir="$TMP/ca-certs-temp"

  rm -f "$store" "$opts_file"
+  rm -rf "$temp_cert_dir"
+  mkdir -p "$temp_cert_dir"

  if [[ -n "$(ls "$stacks_ca_certs_path"/*.pem 2>/dev/null)" ]]; then
    tlog "Looks like you have some '.pem' files in your 'ca-certs' folder. Please rename them to '.crt' to be picked up automatically.".
  fi

-  if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' | wc -l)" -gt 0 ]]; then
+  if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 \( -type f -name '*.crt' -o -type l -name '*.crt' \) | wc -l)" -gt 0 ]]; then
    tlog "No custom CA certificates found."
    return
  fi
@ -378,15 +381,31 @@ setup-custom-ca-certificates() (
    -srcstorepass changeit \
    -deststorepass changeit

-  # Add the custom CA certificates to the store.
-  find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' \
-    -print \
-    -exec keytool -import -alias '{}' -noprompt -keystore "$store" -file '{}' -storepass changeit ';'
+  # Split every .crt file (bundle or single) into individual certs
+  cert_index=0
+  while read -r cert_file; do
+    awk -v prefix="$temp_cert_dir/cert" -v ext=".crt" -v idx="$cert_index" '
+      BEGIN {n=0}
+      /-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
+        print > (prefix idx "_" n ext)
+        if (/-----END CERTIFICATE-----/) n++
+      }
+    ' "$cert_file"
+    cert_index=$((cert_index + 1))
+  done < <(find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -o -type l -name '*.crt')
+
+  # Import all certificates from the temp directory
+  find "$temp_cert_dir" -type f -name '*.crt' | while read -r cert_file; do
+    keytool -import -alias "$(basename "$cert_file")" -noprompt -keystore "$store" -file "$cert_file" -storepass changeit
+  done

  {
    echo "-Djavax.net.ssl.trustStore=$store"
    echo "-Djavax.net.ssl.trustStorePassword=changeit"
  } > "$opts_file"
+
+  # Cleanup
+  rm -rf "$temp_cert_dir"
 )

 configure_supervisord() {