chore: Update SSL certificate paths in Dockerfile and post-create script to use combined global + custom certs

m-houston · m-houston · commit 29b9b48c7086 · 2025-10-11T11:19:28.000Z
diff --git a/scripts/devcontainer/Dockerfile b/scripts/devcontainer/Dockerfile
@@ -6,20 +6,17 @@ RUN apt-get update && apt-get install -y ca-certificates
 COPY custom-ca-certs/. /usr/local/share/ca-certificates/
 RUN update-ca-certificates
 
-# Concatenate all certs for use in EnvVars
-RUN find /usr/local/share/ca-certificates -type f \( -name '*.pem' -o -name '*.crt' \) -exec cat {} + > "/usr/local/share/ca-certificates/combined-cacerts.pem"
-
-# Set environment variables at the Docker image level so they're available during feature installation
-ENV NODE_EXTRA_CA_CERTS="/usr/local/share/ca-certificates/combined-cacerts.pem"
-ENV SSL_CERT_FILE="/usr/local/share/ca-certificates/combined-cacerts.pem"
-ENV REQUESTS_CA_BUNDLE="/usr/local/share/ca-certificates/combined-cacerts.pem"
-ENV CURL_CA_BUNDLE="/usr/local/share/ca-certificates/combined-cacerts.pem"
-ENV GIT_SSL_CAINFO="/usr/local/share/ca-certificates/combined-cacerts.pem"
+# Use the updated system CA bundle which now includes both system and custom CAs
+ENV NODE_EXTRA_CA_CERTS="/etc/ssl/certs/ca-certificates.crt"
+ENV SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
+ENV REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+ENV CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+ENV GIT_SSL_CAINFO="/etc/ssl/certs/ca-certificates.crt"
 
 # Ensure CA Certs is available for all shells, Node, Python & Ruby
 USER vscode
-RUN echo 'NODE_EXTRA_CA_CERTS="/usr/local/share/ca-certificates/combined-cacerts.pem"' >> ~/.zshrc
-RUN echo 'SSL_CERT_FILE="/usr/local/share/ca-certificates/combined-cacerts.pem"' >> ~/.zshrc
-RUN echo 'REQUESTS_CA_BUNDLE="/usr/local/share/ca-certificates/combined-cacerts.pem"' >> ~/.zshrc
-RUN echo 'CURL_CA_BUNDLE="/usr/local/share/ca-certificates/combined-cacerts.pem"' >> ~/.zshrc
-RUN echo 'GIT_SSL_CAINFO="/usr/local/share/ca-certificates/combined-cacerts.pem"' >> ~/.zshrc
+RUN echo 'NODE_EXTRA_CA_CERTS="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+RUN echo 'SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+RUN echo 'REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+RUN echo 'CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+RUN echo 'GIT_SSL_CAINFO="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
diff --git a/scripts/devcontainer/postcreatecommand.sh b/scripts/devcontainer/postcreatecommand.sh
@@ -5,16 +5,16 @@ echo 'export GPG_TTY=$TTY' | cat - ~/.zshrc > temp && mv temp ~/.zshrc
 echo 'export PATH="$HOME/go/bin:/usr/local/go/bin:$PATH"' >> ~/.zshrc
 echo 'export PATH="$HOME/.asdf/shims:$PATH"' >> ~/.zshrc
 echo 'eval "$(asdf completion zsh)"' >> ~/.zshrc
+echo 'export SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+echo 'export REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
+echo 'export CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"' >> ~/.zshrc
 source ~/.zshrc
 
 # Create pip config for SSL certificates before make config runs
 mkdir -p ~/.config/pip
 cat > ~/.config/pip/pip.conf << EOF
 [global]
-cert = /usr/local/share/ca-certificates/combined-cacerts.pem
-trusted-host = pypi.org
-  files.pythonhosted.org
-  pypi.python.org
+cert = /etc/ssl/certs/ca-certificates.crt
 EOF
 
 make config
