stek29 · January 19, 2025 21:38 · Golaco · Jan 2, 2025 · stek29 · Jan 2, 2025
diff --git a/0webosbrew-letsencrypt-ca.md b/0webosbrew-letsencrypt-ca.md
diff --git a/install.sh b/install.sh
 #!/bin/sh
 set -e

 if [ "$(id -u)" != 0 ]; then
  echo "ERROR: Must run as root"
  exit 1
 fi

 URL="https://gist.githubusercontent.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9/raw/letsencrypt-ca-certs.sh?$(date +%s)"
 INITD="/var/lib/webosbrew/init.d"
 START_DEVMODE="/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh"

 echo "Installing letsencrypt-ca-certs"
 mkdir -p "$INITD"
 curl -qs "$URL" -o "$INITD/letsencrypt-ca-certs"
 chmod +x "$INITD/letsencrypt-ca-certs"

 # For comparibility with 3 versions of RootMyTV:
 # Starting from RootMyTV2 startup.sh is used and has ran-parts
 # Older versions of RootMyTV have ran-parts in start-devmode
 # Popular russian fork of old RootMyTV doesnt have run-parts at apl
 if [ ! -f "/var/lib/webosbrew/startup.sh" ] && ! grep -qs "run-parts $INITD" "$START_DEVMODE"; then
  echo "Notice: Incompatible/outdated start-devmode.sh detected"
  echo "Notice: run-parts was added to start-devmode for comaptibility"
  echo "Notice: please update your root/start-devmode script"

  cat <<EOF >>"$START_DEVMODE"

 # Added by letsencrypt-ca-certs installer for compat
 # !!! UPDATE YOUR ROOT SCRIPTS PLEASE !!!
 if [[ -d "$INITD" ]]; then
  run-parts "$INITD"
 fi

 EOF
 fi

 "$INITD/letsencrypt-ca-certs" clean
 "$INITD/letsencrypt-ca-certs"
diff --git a/letsencrypt-ca-certs.sh b/letsencrypt-ca-certs.sh
 #!/bin/sh
 # source: https://gist.github.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9
 set -e

 PERSIST="/media/letsencrypt-ca-certs"
 REPLACE_CERT="mozilla/DST_Root_CA_X3.crt"

 CERTS="/usr/share/ca-certificates"
 ETCCERTS="/etc/ssl/certs"

 if [ "$1" = "clean" ]; then
  if grep -qs " $ETCCERTS " /proc/mounts; then
    umount "$ETCCERTS"
  fi
  if grep -qs " $CERTS/$REPLACE_CERT " /proc/mounts; then
    umount "$CERTS/$REPLACE_CERT"
  fi
  if [ -d "$PERSIST" ]; then
    rm -r "$PERSIST"
  fi
  exit 0
 fi

 if [ ! -d "$PERSIST" ]; then
  mkdir -p "$PERSIST"
 fi

 if [ ! -f "$PERSIST/ISRG_Root_X1.crt" ]; then
  # from https://letsencrypt.org/certs/isrgrootx1.pem
  cat <<EOF >"$PERSIST/ISRG_Root_X1.crt"
 -----BEGIN CERTIFICATE-----
 MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
 ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
 MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
 h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
 A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
 T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
 B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
 B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
 KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
 OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
 jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
 qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
 rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
 HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
 hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
 ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
 NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
 TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
 jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
 oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
 mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
 EOF
 fi

 if ! grep -qs " $CERTS/$REPLACE_CERT " /proc/mounts; then
  echo "Replacing $REPLACE_CERT with ISRG_Root_X1"
  mount --bind "$PERSIST/ISRG_Root_X1.crt" "$CERTS/$REPLACE_CERT"
 fi

 skip_etc_certs=0
 if [ -f "$PERSTST/skip_etc_certs" ]; then
  echo "skip_etc_certs present, skipping $ETCCERTS remount"
  skip_etc_certs=1
 else
  if [ ! -f "$PERSIST/certs/ca-certificates.crt" ]; then
    echo "generating new ca certs"
    mkdir -p "$PERSIST/certs"

    if ! update-ca-certificates --verbose --fresh --etccertsdir "$PERSIST/certs" \
      || [ ! -f "$PERSIST/certs/ca-certificates.crt" ]; then
      echo "update-ca-certificates failed, enabling skip_etc_certs"
      skip_etc_certs=1
      touch "$PERSIST/skip_etc_certs"
      rm -r "$PERSIST/certs" || :
    fi
  fi
 fi

 if [ "$skip_etc_certs" = "0" ]; then
  if ! grep -qs " $ETCCERTS " /proc/mounts; then
    echo "Remounting $ETCCERTS"
    mount --bind "$PERSIST/certs" "$ETCCERTS"
  fi
 fi
	#!/bin/sh
	set -e

	if [ "$(id -u)" != 0 ]; then
	echo "ERROR: Must run as root"
	exit 1
	fi

	URL="https://gist.githubusercontent.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9/raw/letsencrypt-ca-certs.sh?$(date +%s)"
	INITD="/var/lib/webosbrew/init.d"
	START_DEVMODE="/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh"

	echo "Installing letsencrypt-ca-certs"
	mkdir -p "$INITD"
	curl -qs "$URL" -o "$INITD/letsencrypt-ca-certs"
	chmod +x "$INITD/letsencrypt-ca-certs"

	# For comparibility with 3 versions of RootMyTV:
	# Starting from RootMyTV2 startup.sh is used and has ran-parts
	# Older versions of RootMyTV have ran-parts in start-devmode
	# Popular russian fork of old RootMyTV doesnt have run-parts at apl
	if [ ! -f "/var/lib/webosbrew/startup.sh" ] && ! grep -qs "run-parts $INITD" "$START_DEVMODE"; then
	echo "Notice: Incompatible/outdated start-devmode.sh detected"
	echo "Notice: run-parts was added to start-devmode for comaptibility"
	echo "Notice: please update your root/start-devmode script"

	cat <<EOF >>"$START_DEVMODE"

	# Added by letsencrypt-ca-certs installer for compat
	# !!! UPDATE YOUR ROOT SCRIPTS PLEASE !!!
	if [[ -d "$INITD" ]]; then
	run-parts "$INITD"
	fi

	EOF
	fi

	"$INITD/letsencrypt-ca-certs" clean
	"$INITD/letsencrypt-ca-certs"
	#!/bin/sh
	# source: https://gist.github.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9
	set -e

	PERSIST="/media/letsencrypt-ca-certs"
	REPLACE_CERT="mozilla/DST_Root_CA_X3.crt"

	CERTS="/usr/share/ca-certificates"
	ETCCERTS="/etc/ssl/certs"

	if [ "$1" = "clean" ]; then
	if grep -qs " $ETCCERTS " /proc/mounts; then
	umount "$ETCCERTS"
	fi
	if grep -qs " $CERTS/$REPLACE_CERT " /proc/mounts; then
	umount "$CERTS/$REPLACE_CERT"
	fi
	if [ -d "$PERSIST" ]; then
	rm -r "$PERSIST"
	fi
	exit 0
	fi

	if [ ! -d "$PERSIST" ]; then
	mkdir -p "$PERSIST"
	fi

	if [ ! -f "$PERSIST/ISRG_Root_X1.crt" ]; then
	# from https://letsencrypt.org/certs/isrgrootx1.pem
	cat <<EOF >"$PERSIST/ISRG_Root_X1.crt"
	-----BEGIN CERTIFICATE-----
	MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
	TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
	cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
	WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
	ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
	MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
	h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
	0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
	A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
	T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
	B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
	B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
	KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
	OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
	jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
	qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
	rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
	HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
	hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
	ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
	3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
	NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
	ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
	TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
	jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
	oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
	4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
	mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
	emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
	-----END CERTIFICATE-----
	EOF
	fi

	if ! grep -qs " $CERTS/$REPLACE_CERT " /proc/mounts; then
	echo "Replacing $REPLACE_CERT with ISRG_Root_X1"
	mount --bind "$PERSIST/ISRG_Root_X1.crt" "$CERTS/$REPLACE_CERT"
	fi

	skip_etc_certs=0
	if [ -f "$PERSTST/skip_etc_certs" ]; then
	echo "skip_etc_certs present, skipping $ETCCERTS remount"
	skip_etc_certs=1
	else
	if [ ! -f "$PERSIST/certs/ca-certificates.crt" ]; then
	echo "generating new ca certs"
	mkdir -p "$PERSIST/certs"

	if ! update-ca-certificates --verbose --fresh --etccertsdir "$PERSIST/certs" \
	\|\| [ ! -f "$PERSIST/certs/ca-certificates.crt" ]; then
	echo "update-ca-certificates failed, enabling skip_etc_certs"
	skip_etc_certs=1
	touch "$PERSIST/skip_etc_certs"
	rm -r "$PERSIST/certs" \|\| :
	fi
	fi
	fi

	if [ "$skip_etc_certs" = "0" ]; then
	if ! grep -qs " $ETCCERTS " /proc/mounts; then
	echo "Remounting $ETCCERTS"
	mount --bind "$PERSIST/certs" "$ETCCERTS"
	fi
	fi