From 1bdb82a25b01ba14302d8aeb4a75513d1c22c701 Mon Sep 17 00:00:00 2001
From: Stewart X Addison <sxa@redhat.com>
Date: Thu, 7 Oct 2021 16:45:15 +0100
Subject: [PATCH] Update OpenSSL to 1.0.2k and ca-certificates to latest
 CentOS7 version

Signed-off-by: Stewart X Addison <sxa@redhat.com>
---
 .../AdoptOpenJDK_Unix_Playbook/main.yml       |   2 +
 .../roles/CentOS6-Cent7SSL/tasks/main.yml     | 115 ++++++++++++++++++
 2 files changed, 117 insertions(+)
 create mode 100644 ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/CentOS6-Cent7SSL/tasks/main.yml

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
index 97a2804d10..8471049e4b 100644
--- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
+++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
@@ -24,6 +24,8 @@
       tags: [vendor_files, adoptopenjdk, jenkins_user, nagios_plugins, superuser]
     - Version
     - adopt_etc
+    - role: CentOS6-Cent7SSL
+      when: ((ansible_distribution == "RedHat" or ansible_distribution == "CentOS") and ansible_distribution_major_version == "6" and ansible_architecture == "x86_64")
     - Common
     - Python2.7                   # CentOS6
     - Providers                   # AdoptOpenJDK Infrastructure
diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/CentOS6-Cent7SSL/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/CentOS6-Cent7SSL/tasks/main.yml
new file mode 100644
index 0000000000..7a4eafbc75
--- /dev/null
+++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/CentOS6-Cent7SSL/tasks/main.yml
@@ -0,0 +1,115 @@
+---
+##################################################################
+# Install OpenSSL 1.0.2 and certificates bundle from CentOS7     #
+# Need for CentOS6 to accept LetsEncrypt certs via Python/wget   #
+# Based on https://forums.centos.org/viewtopic.php?f=13&p=328731 #
+# Ref: https://github.com/adoptium/infrastructure/issues/2342    #
+##################################################################
+
+- name: Check version of ca-certificates package on the system ...
+  shell: rpm -q ca-certificates | grep -E 'ca-certificates.2020|ca-certificates.201' warn=no
+  register: cacertsold
+  ignore_errors: true
+
+- name: Install prereqs for building openssl
+  yum:
+    name:
+      - krb5-devel
+      - zlib-devel
+      - lksctp-tools-devel
+      - util-linux # Only for /usr/bin/rename
+      - make
+      - gcc
+      - rpm-build
+    state: present
+  when: cacertsold.rc == 0
+
+- name: Download CentOS7 OpenSSL 1.0.2k SRPM ...
+  shell: curl -O https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm warn=False
+
+- name: Verify checksum for CentOS7 OpenSSL 1.0.2k SRPM
+  shell: sha256sum  openssl-1.0.2k-21.el7_9.src.rpm | grep ^6dd850b2be01ff85c500428461019566984d91d7ad8d0002885d33ea37546da4
+  when: cacertsold.rc == 0
+
+# Invoking rpm as ansible yum module skips due to non-source RPM presence
+- name: Install CentOS7 OpenSSL 1.0.2k SRPM ...
+  shell: rpm -ivh openssl-1.0.2k-21.el7_9.src.rpm
+  when: cacertsold.rc == 0
+
+# Not using ansible operations as the don't take wildcards hence warn=False
+# Could explicitly list the ones I know match it I guess
+- name: Apply CentOS patches to OpenSSL Source (Part 1) ...
+  shell: sed -i 's/secure_getenv(/getenv(/g' /root/rpmbuild/SOURCES/*patch warn=False
+  when: cacertsold.rc == 0
+
+- name: Apply CentOS patches to OpenSSL Source (Part 2) ...
+  lineinfile:
+    path: /root/rpmbuild/SPECS/openssl.spec
+    regexp: '%patch68 -p1 -b .secure-getenv'
+    line: '#%patch68 -p1 -b .secure-getenv'
+  when: cacertsold.rc == 0
+
+- name: Build OpenSSL 1.0.2k with rpmbuild ...
+  shell: cd /root/rpmbuild/SPECS && rpmbuild -bb openssl.spec
+  when: cacertsold.rc == 0
+
+- name: Install new OpenSSL 1.0.2k libs and development package ...
+  yum:
+    name:
+      - /root/rpmbuild/RPMS/x86_64/openssl-libs-1.0.2k-21.el6.x86_64.rpm
+      - /root/rpmbuild/RPMS/x86_64/openssl-devel-1.0.2k-21.el6.x86_64.rpm
+  when: cacertsold.rc == 0
+
+# This shouldn't be necessary but it doesn't update if I include in previous step
+- name: Install new OpenSSL 1.0.2k main package ...
+  yum:
+    name: /root/rpmbuild/RPMS/x86_64/openssl-1.0.2k-21.el6.x86_64.rpm
+
+- name: Install prereqs for building ca-certificate bundle ...
+  yum:
+    name:
+      - asciidoc
+      - java-1.6.0-openjdk      # Explicit build dep of ca-certificates SRPM
+    state: present
+  when: cacertsold.rc == 0
+
+- name: Download CentOS6 ca-certificates SRPM ...
+  shell: curl -O https://vault.centos.org/6.10/updates/Source/SPackages/ca-certificates-2020.2.41-65.1.el6_10.src.rpm
+
+- name: Verify checksum for CentOS6 ca-certificates download ...
+  shell: sha256sum ca-certificates-2020.2.41-65.1.el6_10.src.rpm | grep ^85326e70da937c09d342612190d23d3501a2a46954d2e197f9d343bf060ca000
+  when: cacertsold.rc == 0
+
+# Invoking rpm as ansible yum module skips due to non-source RPM presence
+- name: Install CentOS6 ca-certificates SRPM ...
+  shell: rpm -ivh ca-certificates-2020.2.41-65.1.el6_10.src.rpm warn=False
+  when: cacertsold.rc == 0
+
+- name: Download new CentOS7 ca-certificates SRPM ...
+  shell: curl -o ca-certificates-2021.2.50-72.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm
+  when: cacertsold.rc == 0
+
+- name: Verify checksum for CentOS7 ca-certificates  download ...
+  shell: sha256sum  ca-certificates-2021.2.50-72.el7_9.src.rpm | grep ^dc2cf4f9f51313e8fe6df3bd5e7c30926a99c2ad861a2bbfa4fd6210c00daaf6
+  when: cacertsold.rc == 0
+
+- name: Extract certdata.txt from CentOS7 ca-certificates SRPM ...
+  shell: rpm2cpio ca-certificates-2021.2.50-72.el7_9.src.rpm | (cd /root/rpmbuild/SOURCES && cpio -idmv certdata.txt)
+  when: cacertsold.rc == 0
+
+- name: Edit version number in the ca-certificates spec ...
+  lineinfile:
+    path: /root/rpmbuild/SPECS/ca-certificates.spec
+    regexp: 'Version: 2020.2.41'
+    line: 'Version: 2021.2.50'
+  when: cacertsold.rc == 0
+
+- name: Rebuild later ca-certificates (2021.2.50-72.el7_9) with rpmbuild ...
+  shell: cd /root/rpmbuild/SPECS && rpmbuild -bb ca-certificates.spec
+  when: cacertsold.rc == 0
+
+- name: Install CentOS6 ca-certificates SRPM ...
+  yum:
+    name: /root/rpmbuild/RPMS/noarch/ca-certificates-2021.2.50-65.1.el6.noarch.rpm
+    state: present
+  when: cacertsold.rc == 0