Merge pull request #8559 from readthedocs/humitos/update-ca-certificates

Build: update ca-certificates before cloning

Author: humitos

readthedocs/projects/models.py

@@ -1642,6 +1642,7 @@ def add_features(sender, **kwargs):
     ALL_VERSIONS_IN_HTML_CONTEXT = 'all_versions_in_html_context'
     CACHED_ENVIRONMENT = 'cached_environment'
     LIMIT_CONCURRENT_BUILDS = 'limit_concurrent_builds'
+    UPDATE_CA_CERTIFICATES = 'update_ca_certificates'
 
     # Versions sync related features
     SKIP_SYNC_TAGS = 'skip_sync_tags'
@@ -1725,6 +1726,10 @@ def add_features(sender, **kwargs):
             LIMIT_CONCURRENT_BUILDS,
             _('Limit the amount of concurrent builds'),
         ),
+        (
+            UPDATE_CA_CERTIFICATES,
+            _('Update ca-certificates Ubuntu package before VCS clone'),
+        ),
 
         # Versions sync related features
         (

readthedocs/projects/tasks.py

@@ -901,6 +901,24 @@ def setup_vcs(self, environment):
         """
         environment.update_build(state=BUILD_STATE_CLONING)
 
+        # Install a newer version of ca-certificates packages because it's
+        # required for Let's Encrypt certificates
+        # https://github.com/readthedocs/readthedocs.org/issues/8555
+        # https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
+        # TODO: remove this when a newer version of ``ca-certificates`` gets
+        # pre-installed in the Docker images
+        if self.project.has_feature(Feature.UPDATE_CA_CERTIFICATES):
+            self.setup_env.run(
+                'apt-get', 'update', '--assume-yes', '--quiet',
+                user=settings.RTD_DOCKER_SUPER_USER,
+                record=False,
+            )
+            self.setup_env.run(
+                'apt-get', 'install', '--assume-yes', '--quiet', 'ca-certificates',
+                user=settings.RTD_DOCKER_SUPER_USER,
+                record=False,
+            )
+
         log.info(
             LOG_TEMPLATE,
             {