From ea7bfd09d780cf524020a4eb1bd131040348e3cd Mon Sep 17 00:00:00 2001
From: Goutham Pratapa <goutham@appsmith.com>
Date: Thu, 3 Jul 2025 14:44:21 +0530
Subject: [PATCH] fix: enhance CA certificate handling in entrypoint script
 (#40933)

Updated the entrypoint script to improve the detection and processing of
custom CA certificates. The script now correctly identifies both regular
files and symbolic links with a '.crt' extension, ensuring that all
relevant certificates are included in the keystore. This change enhances
the robustness of the CA certificate setup process.

## Description
> [!TIP]
> _Add a TL;DR when the description is longer than 500 words or
extremely technical (helps the content, marketing, and DevRel team)._
>
> _Please also include relevant motivation and context. List any
dependencies that are required for this change. Add links to Notion,
Figma or any other documents that might be relevant to the PR._


Fixes #`Issue Number`
_or_
Fixes `Issue URL`
> [!WARNING]
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags=""

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
534af3a44c572e8ec63cb6de9dc3d60e88f17f53 yet
> <hr>Wed, 02 Jul 2025 09:06:55 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Bug Fixes**
- Improved detection and import of custom CA certificates by including
support for symbolic links, ensuring all relevant `.crt` files are
recognized and imported.
- Enhanced handling of certificate bundles by splitting and importing
individual certificates for better compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 deploy/docker/fs/opt/appsmith/entrypoint.sh | 29 +++++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh
index 8b41b8a06d..ed569fd282 100644
--- a/deploy/docker/fs/opt/appsmith/entrypoint.sh
+++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh
@@ -359,14 +359,17 @@ setup-custom-ca-certificates() (
   local stacks_ca_certs_path="$stacks_path/ca-certs"
   local store="$TMP/cacerts"
   local opts_file="$TMP/java-cacerts-opts"
+  local temp_cert_dir="$TMP/ca-certs-temp"
 
   rm -f "$store" "$opts_file"
+  rm -rf "$temp_cert_dir"
+  mkdir -p "$temp_cert_dir"
 
   if [[ -n "$(ls "$stacks_ca_certs_path"/*.pem 2>/dev/null)" ]]; then
     tlog "Looks like you have some '.pem' files in your 'ca-certs' folder. Please rename them to '.crt' to be picked up automatically.".
   fi
 
-  if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' | wc -l)" -gt 0 ]]; then
+  if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 \( -type f -name '*.crt' -o -type l -name '*.crt' \) | wc -l)" -gt 0 ]]; then
     tlog "No custom CA certificates found."
     return
   fi
@@ -378,15 +381,31 @@ setup-custom-ca-certificates() (
     -srcstorepass changeit \
     -deststorepass changeit
 
-  # Add the custom CA certificates to the store.
-  find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' \
-    -print \
-    -exec keytool -import -alias '{}' -noprompt -keystore "$store" -file '{}' -storepass changeit ';'
+  # Split every .crt file (bundle or single) into individual certs
+  cert_index=0
+  while read -r cert_file; do
+    awk -v prefix="$temp_cert_dir/cert" -v ext=".crt" -v idx="$cert_index" '
+      BEGIN {n=0}
+      /-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
+        print > (prefix idx "_" n ext)
+        if (/-----END CERTIFICATE-----/) n++
+      }
+    ' "$cert_file"
+    cert_index=$((cert_index + 1))
+  done < <(find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -o -type l -name '*.crt')
+
+  # Import all certificates from the temp directory
+  find "$temp_cert_dir" -type f -name '*.crt' | while read -r cert_file; do
+    keytool -import -alias "$(basename "$cert_file")" -noprompt -keystore "$store" -file "$cert_file" -storepass changeit
+  done
 
   {
     echo "-Djavax.net.ssl.trustStore=$store"
     echo "-Djavax.net.ssl.trustStorePassword=changeit"
   } > "$opts_file"
+
+  # Cleanup
+  rm -rf "$temp_cert_dir"
 )
 
 configure_supervisord() {