This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository buildscripts. commit 7358c95811ec907670d0145ee9abfcba27a6ca48 Author: Mihai Moldovan <ionic@ionic.de> Date: Sat Nov 27 05:20:34 2021 +0100 bin/slave-start-prepare.sh: fix connecting on older systems by bundling our own CA bundle. --- bin/slave-start-prepare.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh index 6cb94aa..ea3e5c9 100755 --- a/bin/slave-start-prepare.sh +++ b/bin/slave-start-prepare.sh @@ -66,6 +66,10 @@ rm -f -- "slave.jar" # This is okay, since curl still checks for the pubkey hash and aborts the # connection if the server's pubkey hash doesn't match the pinned one, even # when calling it with the --insecure parameter. -curl -R --pinnedpubkey "${ssl_hash}" -JO "https://${host}/jnlpJars/slave.jar" + +# New issue: the CA certificates shipped with on older machines might include +# expired ones. Bundle our own version (directly from upstream curl) and make +# sure to override the system CA path to not pick up the expired ones. +curl -R --pinnedpubkey "${ssl_hash}" --cacert "${HOME}/buildscripts/contrib/cacert-2021-10-26.pem" --capath '/dev/null' -JO "https://${host}/jnlpJars/slave.jar" exec java -jar "slave.jar" -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/buildscripts.git