Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: enhance CA certificate handling in entrypoint script (#40933)

Browse Source 
Updated the entrypoint script to improve the detection and processing of
custom CA certificates. The script now correctly identifies both regular
files and symbolic links with a '.crt' extension, ensuring that all
relevant certificates are included in the keystore. This change enhances
the robustness of the CA certificate setup process.

## Description
> [!TIP]  
> _Add a TL;DR when the description is longer than 500 words or
extremely technical (helps the content, marketing, and DevRel team)._
>
> _Please also include relevant motivation and context. List any
dependencies that are required for this change. Add links to Notion,
Figma or any other documents that might be relevant to the PR._


Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags=""

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
534af3a44c572e8ec63cb6de9dc3d60e88f17f53 yet
> <hr>Wed, 02 Jul 2025 09:06:55 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Bug Fixes**
- Improved detection and import of custom CA certificates by including
support for symbolic links, ensuring all relevant `.crt` files are
recognized and imported.
- Enhanced handling of certificate bundles by splitting and importing
individual certificates for better compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Goutham Pratapa 2025-07-03 14:44:21 +05:30 committed by GitHub
parent 3421f8bfd1
commit ea7bfd09d7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
deploy/docker/fs/opt/appsmith/entrypoint.sh
View File

@ -359,14 +359,17 @@ setup-custom-ca-certificates() (
local stacks_ca_certs_path="$stacks_path/ca-certs" local stacks_ca_certs_path="$stacks_path/ca-certs"
local store="$TMP/cacerts" local store="$TMP/cacerts"
local opts_file="$TMP/java-cacerts-opts" local opts_file="$TMP/java-cacerts-opts"
local temp_cert_dir="$TMP/ca-certs-temp"
rm -f "$store" "$opts_file" rm -f "$store" "$opts_file"
rm -rf "$temp_cert_dir"
mkdir -p "$temp_cert_dir"
if [[ -n "$(ls "$stacks_ca_certs_path"/*.pem 2>/dev/null)" ]]; then if [[ -n "$(ls "$stacks_ca_certs_path"/*.pem 2>/dev/null)" ]]; then
tlog "Looks like you have some '.pem' files in your 'ca-certs' folder. Please rename them to '.crt' to be picked up automatically.". tlog "Looks like you have some '.pem' files in your 'ca-certs' folder. Please rename them to '.crt' to be picked up automatically.".
fi fi
if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' | wc -l)" -gt 0 ]]; then if ! [[ -d "$stacks_ca_certs_path" && "$(find "$stacks_ca_certs_path" -maxdepth 1 \( -type f -name '*.crt' -o -type l -name '*.crt' \) | wc -l)" -gt 0 ]]; then
tlog "No custom CA certificates found." tlog "No custom CA certificates found."
return return
fi fi
@ -378,15 +381,31 @@ setup-custom-ca-certificates() (
-srcstorepass changeit \ -srcstorepass changeit \
-deststorepass changeit -deststorepass changeit
# Add the custom CA certificates to the store. # Split every .crt file (bundle or single) into individual certs
find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -name '*.crt' \ cert_index=0
-print \ while read -r cert_file; do
-exec keytool -import -alias '{}' -noprompt -keystore "$store" -file '{}' -storepass changeit ';' awk -v prefix="$temp_cert_dir/cert" -v ext=".crt" -v idx="$cert_index" '
BEGIN {n=0}
/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
print > (prefix idx "_" n ext)
if (/-----END CERTIFICATE-----/) n++
}
' "$cert_file"
cert_index=$((cert_index + 1))
done < <(find -L "$stacks_ca_certs_path" -maxdepth 1 -type f -o -type l -name '*.crt')
# Import all certificates from the temp directory
find "$temp_cert_dir" -type f -name '*.crt' | while read -r cert_file; do
keytool -import -alias "$(basename "$cert_file")" -noprompt -keystore "$store" -file "$cert_file" -storepass changeit
done
{ {
echo "-Djavax.net.ssl.trustStore=$store" echo "-Djavax.net.ssl.trustStore=$store"
echo "-Djavax.net.ssl.trustStorePassword=changeit" echo "-Djavax.net.ssl.trustStorePassword=changeit"
} > "$opts_file" } > "$opts_file"
# Cleanup
rm -rf "$temp_cert_dir"
) )
configure_supervisord() { configure_supervisord() {