Question

1

How to noninteractively add Certificate Authority (CA) ssl certificates from script

rated 0 times [ 1] [ 0] / answers: 1 / hits: 2021 / 2 Years ago, tue, november 15, 2022, 4:06:19

I have an ansible play that calls a script. The script copies .crt files for my private key infrastructure in to /usr/share/ca-certificates/my.domain.tld

Then the script calls:

sudo update-ca-certificates

sudo dpkg-reconfigure ca-certificates

The dpkg-reconfigure call causes a curses interface to appear asking me to specifically select and enable the certs I want to enable. I need to find a way for this to run non-interactively. There must be solutions, but I've searched for a while and found nothing that works so far.

Help would be fantastic/wonderful/awesome, please!

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

aclavadoug

Add To Favorites

Follow

Total Points: 317

Total Questions: 103

Total Answers: 125

Location: Bangladesh

Member since Wed, Mar 24, 2021

3 Years ago

aclavadoug questions

1 Creating a customized Ubuntu Live USB with read-only filesystem squashfs greater than 4GB

Tue, Jun 29, 21, 15:48, 3 Years ago

1 How can I hide the home folder icon from Ubuntu 22.04 desktop

Thu, Jul 22, 21, 20:33, 3 Years ago

1 Intel Wireless Adapter suddenly not working - Ubuntu 20.04.3

Fri, Jun 10, 22, 02:49, 2 Years ago

1 I'm switching from an Intel platform to an AMD platform. Do I need to reinstall Ubuntu?

Thu, Aug 11, 22, 11:22, 2 Years ago

1 How to identify AMD graphic card model on Ubuntu 20.04

Tue, Sep 20, 22, 05:41, 2 Years ago

View All

answered 2 Years ago cugure · Accepted Answer

I found lots of cool stuff around altering the debconf database to have the questions in the UI preseeded, but it didn't actually change anything for me.

Ultimately, what got it working for me was to figure out what dpkg-reconfigure is likely doing and then just do it myself (via script). It wasn't actually that much.

Copy your .crt certs to /usr/share/ca-certificates/your.domain.tld

Symlink these certs you added to /usr/share/ca-certificates/your.domain.tld in to /etc/ssl/certificates/

Make sure /etc/ca-certificates.conf contain a line for your certs like:
```
your.domain.tld/issuing_ca.crt

your.domain.tld/root_ca.crt
```
Notice that those lines do NOT start with !, that would deselect these certs. For this step, I used:
- sed -i ... to make sure these lines had no leading !
- bash conditional to check if these lines even existed, e.g.:
```
if [ ! grep -q "your.domain.tld/issuing_ca.crt" /etc/ca-certificates.conf ] ; then
```
- if the lines didn't exist, I added them with:
```
cat [filename] >> /etc/ca-certificates.conf
```

Run sudo update-ca-certificates.

(This combines all the certs in /etc/ssl/certs to make a single ca-certificates.crt that applications use.)