update-ca-certificates doesn't concatenate properly certificates if trailing newline is missing

[adam-bartlett-sp]

Description

update-ca-certificates blindly concats certificates without concern for a newline at the end of the file. This is concerning in environments where certificates are provided by enterprise teams that may not always have a newline. This issue was fixed in Debian 13 years ago and in Alpine 6 years ago.

Impact

ca-certificates bundle will be invalid, which breaks a number of services.

Environment and steps to reproduce

1. Set-up: create a valid pem file in /etc/ssl/certs with no newline at EOF
2. Task: execute update-ca-certificates, then attempt a curl
3. Action(s):
   a. write an valid x.509 PEM file into /etc/ssl/certs with no new line before EOF
   b. Execute sudo /usr/sbin/update-ca-certificates
   c. curl https://flatcar.org
4. Error: curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt

Expected behavior

We would expect curl to complete and show a 301 Moved Permanently.

Additional information

Bugs in Debian & Alpine:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635570
https://gitlab.alpinelinux.org/alpine/aports/-/issues/8379

[jepio]

Flatcar's implementation of update-ca-certificates.

It should be changed to a for loop with sed (https://github.com/ClusterHQ/gentoo/blob/master/usr/sbin/update-ca-certificates#L80C3-L80C15) or cat+echo.