Skip to content

update ca-certificates#1906

Closed
chgchi wants to merge 1 commit into
firewalla:masterfrom
chgchi:my_dev
Closed

update ca-certificates#1906
chgchi wants to merge 1 commit into
firewalla:masterfrom
chgchi:my_dev

Conversation

@chgchi

@chgchi chgchi commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@j-sallyjin

This comment has been minimized.

Sign in to view
@chgchi

chgchi commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Reply to AI comments :

  • tested on Goldv1 box

    pi@firewalla:~ (Jiegoldv1) $ lsb_release
No LSB modules are available.

pi@firewalla:/tmp (Jiegoldv1) $ dpkg-query -W -f='${Version}' ca-certificates
20180409

pi@firewalla:/tmp (Jiegoldv1) $ sudo dpkg -i /tmp/ca-certificates_20260601_all.deb
(Reading database ... 77568 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20260601_all.deb ...
Unpacking ca-certificates (20260601) over (20180409) ...
Setting up ca-certificates (20260601) ...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
63 added, 75 removed; done.
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ca-certificates (20260601) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

pi@firewalla:/tmp (Jiegoldv1) $ dpkg-query -W -f='${Version}' ca-certificates
20260601pi@firewalla:/tmp (Jiego curl https://firewalla.com

  • Goldv1 likely achieved compatibility with .zst format installation packages—which only became widespread in later versions (post-Ubuntu 21.10)—by pre-installing the underlying libzstd1 dynamic library and enabling calls to it during the compilation of dpkg on this Ubuntu 18.04-based device.

    pi@firewalla:/tmp (Jiegoldv1) $ ldd $(which dpkg-deb) | grep zstd
libzstd.so.1 => /usr/lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fa2a698e000)

@chgchi chgchi requested a review from jasonlyc June 8, 2026 11:14
@j-sallyjin

This comment has been minimized.

Sign in to view
@j-sallyjin

j-sallyjin commented Jun 10, 2026

Copy link
Copy Markdown

PR Review Summary

✅ What looks good

  • Adds an offline ca-certificates package and installs it early in init_network_config, before the HTTPS connectivity checks that were failing.
  • Uses dpkg --compare-versions so boxes with newer CA packages are not downgraded.
  • The linked issue firewalla/firecommit#8143 is covered: old Ubuntu 18 images with stale CA bundles should upgrade to ca-certificates 20260601, restoring HTTPS validation for sites like https://firewalla.com.
  • The script is idempotent and logs successful/failed upgrade attempts.

⚠️ Issues found

  • Low: scripts/update_ca_certificates.sh does not validate that TARGET_VERSION was read successfully. If the bundled .deb is corrupt or unreadable, dpkg-deb -f returns empty output and the script may silently skip the update path or produce a confusing install failure. Add an explicit guard after reading TARGET_VERSION and log a clear error.

💡 Suggestions

  • Quote the script path in bin/common: "${FIREROUTER_HOME}/scripts/update_ca_certificates.sh" || true.
  • Consider documenting that the bundled package uses zstd compression and has been verified on the target Ubuntu 18 Firewalla images, since that compatibility is important for future package refreshes.

Verdict

COMMENT

Repo: firewalla/firerouter
PR: #1906
Head SHA: 51d9326f06e7365c4290445bece65fbea8575495
Checked at: 2026-06-10 14:48:38 CST

@chgchi chgchi closed this Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonlyc jasonlyc Awaiting requested review from jasonlyc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chgchi @j-sallyjin