update-ca-certificates: Trust Custom CAs in CI
update-ca-certificates regenerates the system CA bundle after you drop a certificate into the trusted anchors directory.
Behind a corporate proxy or a private registry with a custom CA, tools fail TLS until the CA is trusted. This command makes the OS and curl trust it.
What it does
On Debian and Ubuntu, update-ca-certificates scans /usr/local/share/ca-certificates/ for .crt files and merges them into /etc/ssl/certs/ca-certificates.crt. On Alpine the same command works after adding the ca-certificates package. RHEL uses update-ca-trust instead.
Common usage
# Debian/Ubuntu
cp corp-root.crt /usr/local/share/ca-certificates/corp-root.crt
update-ca-certificates
# Alpine (needs the package first)
apk add --no-cache ca-certificates
cp corp-root.crt /usr/local/share/ca-certificates/corp-root.crt
update-ca-certificates
# RHEL/Fedora equivalent
cp corp-root.crt /etc/pki/ca-trust/source/anchors/
update-ca-trustOptions
| Command / Flag | What it does |
|---|---|
| update-ca-certificates | Rebuild the CA bundle from added anchors |
| --fresh | Regenerate from scratch, dropping stale links |
| /usr/local/share/ca-certificates/ | Where to place custom .crt files (Debian/Alpine) |
| update-ca-trust (RHEL) | The RHEL/Fedora equivalent command |
| /etc/pki/ca-trust/source/anchors/ | Where to place custom CAs on RHEL |
In CI
The certificate file must have a .crt extension and be PEM-encoded; a .pem or DER file is ignored. After running the command, tools that read the system bundle (curl, git, apt) trust the CA, but apps with their own bundle (Node, Python requests) may still need REQUESTS_CA_BUNDLE or NODE_EXTRA_CA_CERTS.
Common errors in CI
"curl: (60) SSL certificate problem: unable to get local issuer certificate" means the CA is not trusted; add it and run update-ca-certificates. "WARNING: <file> does not contain a certificate or CRL: skipping" means the file is not PEM or lacks a .crt extension. A Node app still failing after this needs NODE_EXTRA_CA_CERTS, since Node ships its own trust store.