feat: install root ca

install-root-ca.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env sh
+set -e
+
+CA_URL="https://ca.para.net:9000"
+ROOT_URL="$CA_URL/roots.pem"
+TMP_FILE="$(mktemp)"
+
+echo "Downloading roots.pem from $ROOT_URL ..."
+curl -sSLk "$ROOT_URL" -o "$TMP_FILE"
+
+if [ ! -s "$TMP_FILE" ]; then
+  echo "Error: roots.pem is empty or failed to download."
+  exit 1
+fi
+
+# Read /etc/os-release (source manually in POSIX shell)
+OS_ID=""
+OS_LIKE=""
+if [ -f /etc/os-release ]; then
+  while IFS= read -r line; do
+    case "$line" in
+    ID=*) OS_ID=$(echo "$line" | cut -d= -f2 | tr -d '"') ;;
+    ID_LIKE=*) OS_LIKE=$(echo "$line" | cut -d= -f2 | tr -d '"') ;;
+    esac
+  done </etc/os-release
+fi
+
+echo "Detected OS: ID=$OS_ID, ID_LIKE=$OS_LIKE"
+
+# Normalize to lowercase
+OS_ID=$(echo "$OS_ID" | tr 'A-Z' 'a-z')
+OS_LIKE=$(echo "$OS_LIKE" | tr 'A-Z' 'a-z')
+
+# Detect family
+if echo "$OS_ID $OS_LIKE" | grep -Eq 'debian|ubuntu'; then
+  echo "Installing on Debian-based system"
+  TARGET_PATH="/usr/local/share/ca-certificates/step-ca.crt"
+  cp "$TMP_FILE" "$TARGET_PATH"
+  echo "Updating CA trust store..."
+  update-ca-certificates
+
+elif echo "$OS_ID $OS_LIKE" | grep -Eq 'rhel|centos|rocky|alma'; then
+  echo "Installing on RHEL-based system"
+  TARGET_PATH="/etc/pki/ca-trust/source/anchors/step-ca.pem"
+  cp "$TMP_FILE" "$TARGET_PATH"
+  echo "Updating CA trust store..."
+  update-ca-trust extract
+
+else
+  echo "Unsupported operating system (ID=$OS_ID, LIKE=$OS_LIKE)"
+  echo "You may need to install the CA manually."
+  exit 2
+fi
+
+echo "Testing connection to $CA_URL ..."
+if curl -sSL "$CA_URL" >/dev/null 2>&1; then
+  echo "Connection successful — root CA is trusted."
+else
+  echo "Connection failed — check certificate installation or network configuration."
+fi
+
+rm -f "$TMP_FILE"