Dear Rocky community,
I am creating an initramfs and I need to install a CA cert in it. The reason is I need to download rootfs from an s3 bucket and the cert under the domain is self-signed.
I can copy the CA file through a module but I don't know how to reproduce the tasks done by the update-ca-trust command.
This is the module I am working on:
#!/bin/bash # module-setup.sh for cacert
# called by dracut check() { return 0 }
# called by dracut depends() { echo network return 0 }
# called by dracut install() { mkdir -p $initdir/etc/pki/ca-trust/source/anchors cp /root/certificate_authority.crt $initdir/etc/pki/ca-trust/source/anchors/ }
any advice on how to achieve this?
I am also open to other methods to get this working
thank yo uvery much
Sopena Ballesteros Manuel via rocky writes:
Dear Rocky community,
I am creating an initramfs and I need to install a CA cert in it. The reason is I need to download rootfs from an s3 bucket and the cert under the domain is self-signed.
I can copy the CA file through a module but I don't know how to reproduce the tasks done by the update-ca-trust command.
This is the module I am working on:
#!/bin/bash # module-setup.sh for cacert
# called by dracut check() { return 0 }
# called by dracut depends() { echo network return 0 }
# called by dracut install() { mkdir -p $initdir/etc/pki/ca-trust/source/anchors cp /root/certificate_authority.crt $initdir/etc/pki/ca-trust/source/anchors/ }
any advice on how to achieve this?
I am also open to other methods to get this working
I see two possibilities.
Brute force (in a manner of speaking). Take a backup of /etc, then add your cert with update-ca-trust. Diff /etc against the backup and simply add all modified files to your module. Minus those that are obviously not certificate-related. If this is the only certificate being added, there may be other changes, such as link creation, or files replaced by links. If it was only files, the module approach isn't needed and one could use dracut --include as per dracut(8). Might be best to test this in a sacrificial vm.
The other method. update-ca-trust is just a script. Your install() routine above could call a suitably modified copy of same that operates inside $initdir. For that to work, you may need to explicitly export initdir so that it's available in the copy. A modified version of this approach would be to create a modified copy of the script on the fly and then remove it when done.