Set Up SSL CA Certificates for Various Git Providers on IBM i

README.md

README

🚨 This gist is obsolete 🚨

This was a way to easily set up a few certificates for GitHub, BitBucket, etc for use with git. It's largely irrelevant nowadays with the advent of ca-certificates being availabe.

Instead, just yum install ca-certificates-mozilla. This installs the Mozilla CA trust store (the same used by Firefox and many other open source projects), as well as the ca-certificates infrastructure. ca-certificates will generate the format needed by OpenSSL (and Java, too!).

git_ssl_setup.sh

#!/QOpenSys/usr/bin/ksh

set -e

export LC_ALL=C LANG=C

OPENSSL=$(which openssl 2> /dev/null)
if [ "$OPENSSL" = "" ]
then
  echo "openssl not found"
  exit 1
elif [ "$OPENSSL" = '/QOpenSys/usr/bin/openssl' ]
then
  case $(uname -v)$(uname -r) in
    [1-6]*) echo "Sorry, these releases are not supported"; exit 1 ;;
    
    71) CERTDIR=/QOpenSys/QIBM/ProdData/SC1/OpenSSL/openssl-0.9.8j/certs ;;
    *)  CERTDIR=/QOpenSys/QIBM/ProdData/SC1/OpenSSL/certs ;;
  esac
else 
  CERTDIR=/QOpenSys/etc/ssl/certs
fi

C_REHASH=$(dirname $OPENSSL)/c_rehash

PERL=$(which perl 2> /dev/null)
if [ "$PERL" = "" ]
then
  echo "perl not found"
  exit 1
fi

if which curl > /dev/null 2>&1
then
  CURL='curl --insecure --silent --location'
elif which wget > /dev/null 2>&1
then
  CURL='wget --no-check-certificate -qO-'
else
  echo "You need to install either curl or wget. Perhaps they're just not in your PATH?"
  exit 1
fi

# Create a directory to hold certificates
if [ "$CERTTMP" = "" ]
then
  CERTTMP=/tmp/certs.$$
  rm -r $CERTTMP > /dev/null 2>&1 || :
  mkdir -p $CERTTMP
  CLEANUP=Y
fi

# GitHub and BitBucket uses DigiCert certificates
# Downloaded from https://www.digicert.com/digicert-root-certificates.htm      
for cert in DigiCertHighAssuranceEVRootCA DigiCertSHA2ExtendedValidationServerCA GeoTrustRSACA2018 DigiCertGlobalRootCA
do
  $CURL https://www.digicert.com/CACerts/$cert.crt | openssl x509 -inform der -out $CERTTMP/$cert.pem
done

# GitLab uses Comodo certificates
$CURL "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" > $CERTTMP/comodorsadomainvalidationsecureserverca.crt
$CURL "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" > $CERTTMP/comodorsacertificationauthority.crt

# Let's Encrypt certificates
for cert in isrgrootx1 letsencryptauthorityx3
do
  $CURL https://letsencrypt.org/certs/$cert.pem.txt > $CERTTMP/$cert.pem
done

$PERL $C_REHASH $CERTTMP

/QOpenSys/usr/bin/cp -h $CERTTMP/* $CERTDIR

# Clean up if necessary
if [ "CLEANUP" = "Y" ]
then
  rm -r $CERTTMP
fi

Run it like so:

curl -kL https://gist.githubusercontent.com/kadler/547bb36ddadb9bfec3ff9c16a164a148/raw/c740a1d425b2006f668467baa77d5ecabb274366/git_ssl_setup.sh | ksh

Thanks, works for me.

@kadler assisted in another collab tool and I am documenting the results here.

If you receive the following error...

./git_ssl_setup.sh[61]: /QOpenSys/usr/bin/c_rehash:  not found  

... it means you are encountering a peculiarity of ksh where if the path to the interpreter does not exist, it says the file that it is trying to run is "not found".

You can find the interpreter like so:

$ head -n1 /QOpenSys/usr/bin/c_rehash
 #!/QOpenSys/usr/bin/perl

It is likely to be /QOpenSys/usr/bin/perl which doesn't exist. You can create a symlink to it from /QOpenSys/pkgs/bin/perl (or /QOpenSys/QIBM/ProdData/OPS/tools/bin/perl if you prefer) and all should be well.

ln -s /QOpenSys/pkgs/bin/perl /QOpenSys/usr/bin

Nowadays, you probably want to yum install ca-certificates-mozilla instead, which includes all the Mozilla certs (not just the few hand picked here) and sets them up for OpenSSL for you.