Merge pull request #2825 from MilhouseVH/le90_user_ca

openssl: generate cacert.pem from system and user CA
2025-07-24 11:16:51 +00:00 · 2018-07-15 07:34:50 +04:00 · 2018-07-15 07:34:50 +04:00 · 7efe215c7f
commit 7efe215c7f
parent a3df92074b ab6d864c9d
4 changed files with 35 additions and 5 deletions
--- a/packages/security/openssl/package.mk
+++ b/packages/security/openssl/package.mk
@ -109,13 +109,22 @@ post_makeinstall_target() {

  # cert from https://curl.haxx.se/docs/caextract.html
  mkdir -p $INSTALL/etc/ssl
-    cp $PKG_DIR/cert/cacert.pem $INSTALL/etc/ssl/cert.pem
+    cp $PKG_DIR/cert/cacert.pem $INSTALL/etc/ssl/cacert.pem.system
+
+  # give user the chance to include their own CA
+  mkdir -p $INSTALL/usr/bin
+    cp $PKG_DIR/scripts/openssl-config $INSTALL/usr/bin
+    ln -sf /run/libreelec/cacert.pem $INSTALL/etc/ssl/cacert.pem

  # backwards comatibility
  mkdir -p $INSTALL/etc/pki/tls
-    ln -sf /etc/ssl/cert.pem $INSTALL/etc/pki/tls/cacert.pem
+    ln -sf /run/libreelec/cacert.pem $INSTALL/etc/pki/tls/cacert.pem
  mkdir -p $INSTALL/etc/pki/tls/certs
-    ln -sf /etc/ssl/cert.pem $INSTALL/etc/pki/tls/certs/ca-bundle.crt
+    ln -sf /run/libreelec/cacert.pem $INSTALL/etc/pki/tls/certs/ca-bundle.crt
  mkdir -p $INSTALL/usr/lib/ssl
-    ln -sf /etc/ssl/cert.pem $INSTALL/usr/lib/ssl/cert.pem
+    ln -sf /run/libreelec/cacert.pem $INSTALL/usr/lib/ssl/cert.pem
+}
+
+post_install() {
+  enable_service openssl-config.service
 }
--- a/packages/security/openssl/scripts/openssl-config
+++ b/packages/security/openssl/scripts/openssl-config
@ -0,0 +1,10 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2018-present Team LibreELEC (https://libreelec.tv)
+
+cp /etc/ssl/cacert.pem.system /run/libreelec/cacert.pem
+
+[ -f /storage/.config/cacert.pem ] && cat /storage/.config/cacert.pem >>/run/libreelec/cacert.pem
+
+exit 0
--- a/packages/security/openssl/system.d/openssl-config.service
+++ b/packages/security/openssl/system.d/openssl-config.service
@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSL configuration service
+DefaultDependencies=no
+After=systemd-tmpfiles-setup.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/openssl-config
+
+[Install]
+WantedBy=sysinit.target
--- a/packages/web/curl/package.mk
+++ b/packages/web/curl/package.mk
@ -84,7 +84,7 @@ PKG_CONFIGURE_OPTS_TARGET="ac_cv_lib_rtmp_RTMP_Init=yes \
                           --with-ssl \
                           --without-polarssl \
                           --without-nss \
-                           --with-ca-bundle=/etc/ssl/cert.pem \
+                           --with-ca-bundle=/run/libreelec/cacert.pem \
                           --without-ca-path \
                           --without-libpsl \
                           --without-libmetalink \