Import CA certificates for extra repository files

Upstream commit: d2d1fc5

If extra repositories are located on an HTTPS server with
a certificate signed by a private authority, additional CA
certificates need to be trusted in the container. Otherwise, DNF
invoked in the container will fail to access the repositories:

        STEP 6/15: RUN set -x &&     dnf -y --refresh upgrade;     dnf -y install dnf-plugins-core;     dnf -y copr enable rpmsoftwaremanagement/test-utils;
        + dnf -y --refresh upgrade
        [...]
        Tag repository for rhel-9.6.0-candidate (x86_64 0.0  B/s |   0  B     00:00
        Errors during downloading metadata for repository 'baseos-ci-tag-repository':
          - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://[...]/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
        Error: Failed to download metadata for repo 'baseos-ci-tag-repository': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Dockerfile

@@ -13,6 +13,10 @@ RUN set -x && \
     echo -e "deltarpm=0" >> /etc/dnf/dnf.conf && \
     echo -e "install_weak_deps=0" >> /etc/dnf/dnf.conf
 
+# Import extra CA certificates
+COPY ./ca-trust/ /etc/pki/ca-trust/source/anchors/
+RUN update-ca-trust
+
 # Copy extra repo files
 COPY ./repos.d/ /etc/yum.repos.d/
 

README.md

@@ -36,6 +36,10 @@ default:
 If any additional repositories are needed to be added to the container image,
 you can place them into the `repos.d` directory (mainly useful for RHEL).
 
+If any additional CA certificates are needed to be trusted in the container
+image, e.g. for the additional repositories, you can place them into the
+`ca-trust` directory.
+
 During the build, any RPMs found in the `rpms` directory are installed in the
 image. Place your RPMs to be tested in this directory.
 

ca-trust/.gitignore

@@ -0,0 +1 @@
+*