From c9f588793850ccf9be3515431a899e9b5b06b82f Mon Sep 17 00:00:00 2001
From: Wayne Galen <lewayne@amazon.com>
Date: Fri, 26 Jan 2024 16:35:10 -0800
Subject: [PATCH 1/2] Use a newer debian image for certs

stable-20211201 is based on the current `oldstable` release, `bullseye`,
and has an older ca-certificates package (20210119), whereas 20240110 is
based on the current `stable` release, `bookworm`, and has a more up to
date ca-certificates package (20230311)
---
 misc/certs/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/certs/Dockerfile b/misc/certs/Dockerfile
index 965dcf015cc..fcc4cf04c97 100644
--- a/misc/certs/Dockerfile
+++ b/misc/certs/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/debian:stable-20211201-slim
+FROM public.ecr.aws/docker/library/debian:stable-20240110-slim
 
 RUN apt-get update &&  \
     apt-get install -y ca-certificates && \

From e3324778a03cc113d31fc4332c2089446602fd93 Mon Sep 17 00:00:00 2001
From: Wayne Galen <lewayne@amazon.com>
Date: Fri, 26 Jan 2024 16:44:11 -0800
Subject: [PATCH 2/2] Clean up unneeded removal

Current versions of the ca-certificates package no longer include
CNNIC_ROOT certificates, so the separate trimming step is no longer necessary
---
 misc/certs/Dockerfile | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/misc/certs/Dockerfile b/misc/certs/Dockerfile
index fcc4cf04c97..2790eeb7feb 100644
--- a/misc/certs/Dockerfile
+++ b/misc/certs/Dockerfile
@@ -3,8 +3,3 @@ FROM public.ecr.aws/docker/library/debian:stable-20240110-slim
 RUN apt-get update &&  \
     apt-get install -y ca-certificates && \
     rm -rf /var/lib/apt/lists/*
-
-# If anyone has a better idea for how to trim undesired certs or a better ca list to use, I'm all ears
-RUN cp /etc/ca-certificates.conf /tmp/caconf && cat /tmp/caconf | \
-  grep -v "mozilla/CNNIC_ROOT\.crt" > /etc/ca-certificates.conf && \
-  update-ca-certificates --fresh