Merge pull request #43370 from code-dot-org/update-chef-trusted-root-…

…certificates update list of root certificates that Chef client trusts
code-dot-org · Nov 10, 2021 · e0fd769 · e0fd769
2 parents 6598769 + 424c7c2
commit e0fd769
Show file tree

Hide file tree

Showing 3 changed files with 3,241 additions and 0 deletions.
diff --git a/aws/chef-bootstrap.sh b/aws/chef-bootstrap.sh
@@ -72,6 +72,10 @@ else
 fi
 ${CHEF_CLIENT} -v
 
+# Replace root certificates in the installation of OpenSSL embedded in Chef client with a newer list from our repository
+# that we periodically obtain and commit to our repository from https://curl.se/docs/caextract.html
+curl -o /opt/chef/embedded/ssl/certs/cacert.pem https://raw.githubusercontent.com/code-dot-org/code-dot-org/${BRANCH}/cookbooks/cacert.pem
+
 mkdir -p /etc/chef
 CLIENT_RB=/etc/chef/client.rb
 cat <<RUBY > ${CLIENT_RB}