From 162a1453dbb41772a80b5bf36f33c516ca710daf Mon Sep 17 00:00:00 2001
From: Tim 'mithro' Ansell <tansell@google.com>
Date: Fri, 1 Oct 2021 12:38:49 -0700
Subject: [PATCH] Delete expired Let's Encrypt certificate.

The old `/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt` Let's
Encrypt certificate that has expired.

The "best" solution seems to be to delete the certificate. This is fine
because the new non-expired
`/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt`
certificate is still available.

See the post at
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
for more explanation.

Signed-off-by: Tim 'mithro' Ansell <tansell@google.com>
---
 kokoro/steps/hostsetup.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/kokoro/steps/hostsetup.sh b/kokoro/steps/hostsetup.sh
index c9510ab..e48ed51 100755
--- a/kokoro/steps/hostsetup.sh
+++ b/kokoro/steps/hostsetup.sh
@@ -16,6 +16,29 @@ echo "----------------------------------------"
 sudo apt-get remove -y cmake
 echo "----------------------------------------"
 
+echo
+echo "========================================"
+echo "Update the CA certificates"
+echo "----------------------------------------"
+sudo apt-get install -y ca-certificates
+echo "----------------------------------------"
+sudo update-ca-certificates
+echo "----------------------------------------"
+
+echo
+echo "========================================"
+echo "Remove the expire letsencrypt.org cert "
+echo "----------------------------------------"
+wget https://helloworld.letsencrypt.org/ || true
+echo "----------------------------------------"
+sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
+echo "----------------------------------------"
+sudo update-ca-certificates
+echo "----------------------------------------"
+wget https://helloworld.letsencrypt.org/ || true
+echo "----------------------------------------"
+
+
 echo
 echo "========================================"
 echo "Host adding PPAs"