From 9b31a14393f207b5aedbe74eb6e6fd6be00c26d8 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Fri, 28 Nov 2025 13:02:20 +0100 Subject: [PATCH] standardize ca-config Signed-off-by: Simon L. --- .../nextcloud/config/postgres.config.php | 4 +- Containers/nextcloud/entrypoint.sh | 80 +++++++++++++++---- Containers/notify-push/start.sh | 4 +- 3 files changed, 67 insertions(+), 21 deletions(-) diff --git a/Containers/nextcloud/config/postgres.config.php b/Containers/nextcloud/config/postgres.config.php index acde7b823a3..75030f43339 100644 --- a/Containers/nextcloud/config/postgres.config.php +++ b/Containers/nextcloud/config/postgres.config.php @@ -3,14 +3,14 @@ $CONFIG = array( 'pgsql_ssl' => array( 'mode' => 'verify-ca', - 'rootcert' => '/var/www/html/data/certificates/POSTGRES', + 'rootcert' => '/var/www/html/resources/config/ca-bundle.crt', ), ); } if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) { $CONFIG = array( 'dbdriveroptions' => array( - 'PDO::MYSQL_ATTR_SSL_CA' => '/var/www/html/data/certificates/MYSQL', + 'PDO::MYSQL_ATTR_SSL_CA' => '/var/www/html/resources/config/ca-bundle.crt', ), ); } diff --git a/Containers/nextcloud/entrypoint.sh b/Containers/nextcloud/entrypoint.sh index c0dfd803207..9b5b07fe8de 100644 --- a/Containers/nextcloud/entrypoint.sh +++ b/Containers/nextcloud/entrypoint.sh @@ -20,6 +20,61 @@ run_upgrade_if_needed_due_to_app_update() { fi } +create_global_root_cert() { + # Only run if env is set + if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then + + # Enable debug mode + set -x + + # Default vars + CERTIFICATES_ROOT_DIR="/var/www/html/data/certificates" + CERTIFICATE_BUNDLE="/var/www/html/resources/config/ca-bundle.crt" + + # Retrieve default root cert bundle + if ! [ -f "$SOURCE_LOCATION/resources/config/ca-bundle.crt" ]; then + echo "Root ca-bundle not found. Only concattening configured NEXTCLOUD_TRUSTED_CERTIFICATES files!" + # Recreate cert file + rm -f "$CERTIFICATE_BUNDLE" + touch "$CERTIFICATE_BUNDLE" + else + # Write default bundle to the target ca file + cat "$SOURCE_LOCATION/resources/config/ca-bundle.crt" > "$CERTIFICATES_ROOT_DIR/ca-bundle.crt" + fi + + # Remove old root certs and recreate them with current ones + rm -r "$CERTIFICATES_ROOT_DIR" + mkdir -p "$CERTIFICATES_ROOT_DIR" + + # Iterate through certs + TRUSTED_CERTIFICATES="$(env | grep NEXTCLOUD_TRUSTED_CERTIFICATES_ | grep -oP '^[A-Z_a-z0-9]+')" + mapfile -t TRUSTED_CERTIFICATES <<< "$TRUSTED_CERTIFICATES" + for certificate in "${TRUSTED_CERTIFICATES[@]}"; do + + # Create new line + echo "" >> "$CERTIFICATE_BUNDLE" + + # Check if variable is a simple switch. For example used by postgres and mysql tls connections + if [ "${!certificate}" != "yes" ]; then + # Write out cert to bundle + echo "${!certificate}" >> "$CERTIFICATE_BUNDLE" + fi + + # Create file in cer dir + if ! [ -f "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" ]; then + touch "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" + fi + + done + + # Print out bundle one last time + cat "$CERTIFICATE_BUNDLE" + + # Disable debug mode + set +x + fi +} + # Adjust DATABASE_TYPE to by Nextcloud supported value if [ "$DATABASE_TYPE" = postgres ]; then export DATABASE_TYPE=pgsql @@ -289,6 +344,9 @@ EOF echo "$NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL" > "/var/www/html/data/certificates/MYSQL" fi + # Create global root cert + create_global_root_cert + echo "Installing with $DATABASE_TYPE database" # Set a default value for POSTGRES_PORT if [ -z "$POSTGRES_PORT" ]; then @@ -459,6 +517,9 @@ EOF rm "$NEXTCLOUD_DATA_DIR/update.failed" bash /notify.sh "Nextcloud update to $image_version successful!" "You may inspect the Nextcloud container logs for more information." + # Create global root cert + create_global_root_cert + php /var/www/html/occ app:update --all run_upgrade_if_needed_due_to_app_update @@ -649,23 +710,8 @@ else fi # AIO app end # Do not remove or change this line! -# Allow to add custom certs to Nextcloud's trusted cert store -if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then - set -x - TRUSTED_CERTIFICATES="$(env | grep NEXTCLOUD_TRUSTED_CERTIFICATES_ | grep -oP '^[A-Z_a-z0-9]+')" - mapfile -t TRUSTED_CERTIFICATES <<< "$TRUSTED_CERTIFICATES" - CERTIFICATES_ROOT_DIR="/var/www/html/data/certificates" - mkdir -p "$CERTIFICATES_ROOT_DIR" - for certificate in "${TRUSTED_CERTIFICATES[@]}"; do - # shellcheck disable=SC2001 - CERTIFICATE_NAME="$(echo "$certificate" | sed 's|^NEXTCLOUD_TRUSTED_CERTIFICATES_||')" - if ! [ -f "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" ]; then - echo "${!certificate}" > "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" - php /var/www/html/occ security:certificates:import "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" - fi - done - set +x -fi +# Create global root cert +create_global_root_cert # Notify push if ! [ -d "/var/www/html/custom_apps/notify_push" ]; then diff --git a/Containers/notify-push/start.sh b/Containers/notify-push/start.sh index 9277bdaa6ce..f7d4876c3c3 100644 --- a/Containers/notify-push/start.sh +++ b/Containers/notify-push/start.sh @@ -68,10 +68,10 @@ fi # Postgres root cert if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then - CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/POSTGRES" + CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/resources/config/ca-bundle.crt" # Mysql root cert elif [ -f "/nextcloud/data/certificates/MYSQL" ]; then - CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/data/certificates/MYSQL" + CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/resources/config/ca-bundle.crt" fi # Set sensitive values as env