From 6b5d1186c57dbb6ece684e3f6bd77f7ce0953758 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.com>
Date: Fri, 3 Apr 2020 10:14:07 -0700
Subject: [PATCH] Fix opensuse trusted certificates

There's a bug[1] with the combination of the p11-kit and
ca-certificates-mozilla packages available on the latest built
opensuse-15 node in nodepool (which has not been rebuilt for weeks due
to a separate issue[2]) which causes the standard CA bundle to not be
installed correctly and causes jobs that call to external HTTPS services
to fail. Upgrading both packages in sync fixes the issue.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1154871
[2] http://bugzilla.suse.com/show_bug.cgi?id=1166139

Change-Id: Ia8fdfe12fd9089e178adcb2b5eec997eebada262
Needed-by: https://review.opendev.org/713566
(cherry picked from commit 497caf015729d451428d5b608853741689f153b3)
(cherry picked from commit 7921e4673f2d0488ca6dc1892354e200ef38cca9)
---
 tools/fixup_stuff.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index a939e30b02..7a87b40189 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -216,6 +216,11 @@ function fixup_suse {
         sudo systemctl disable apparmor
         sudo /usr/sbin/aa-teardown
     fi
+
+    # Ensure trusted CA certificates are up to date
+    # See https://bugzilla.suse.com/show_bug.cgi?id=1154871
+    # May be removed once a new opensuse-15 image is available in nodepool
+    sudo zypper up -y p11-kit ca-certificates-mozilla
 }
 
 # The version of pip(1.5.4) supported by python-virtualenv(1.11.4) has