From d9e0c4187e6170d9a3cd0d870ca793267df0d127 Mon Sep 17 00:00:00 2001
From: Markham <markham001@gmx.de>
Date: Sat, 21 Mar 2026 19:11:30 +0100
Subject: [PATCH] fix target ca-bundle

---
 make/environment-build.mk |  2 +-
 make/libraries.mk         | 20 ++++++++++++++------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/make/environment-build.mk b/make/environment-build.mk
index cb89165..3cd54d9 100755
--- a/make/environment-build.mk
+++ b/make/environment-build.mk
@@ -165,7 +165,7 @@ PKG_CONFIG_PATH = $(PKG_CONFIG_LIBDIR)/pkgconfig
 
 # certificates
 CA_BUNDLE             = ca-certificates.crt
-CA_BUNDLE_DIR         = etc/ssl/certs
+CA_BUNDLE_DIR         = /etc/ssl/certs
 
 # helper-"functions":
 REWRITE_LIBTOOL_RULES  = sed -i \
diff --git a/make/libraries.mk b/make/libraries.mk
index e0dab8d..9856f86 100755
--- a/make/libraries.mk
+++ b/make/libraries.mk
@@ -562,12 +562,20 @@ $(D)/host_openssl: $(ARCHIVE)/openssl-$(OPENSSL_VER)$(OPENSSL_SUBVER).tar.gz | $
 	$(TOUCH)
 
 CA_URL = https://curl.se/ca/cacert.pem
+CA_BUNDLE_MAX_AGE = 30 # days
 $(D)/ca-bundle: | $(TARGETPREFIX)
 	$(START_BUILD)
-	cd $(ARCHIVE); \
-		curl -s --remote-name --time-cond $(ARCHIVE)/cacert.pem $(CA_URL)
-	install -D -m 0644 $(ARCHIVE)/cacert.pem $(TARGETPREFIX)/$(CA_BUNDLE_DIR)/$(CA_BUNDLE)
-	openssl verify $(TARGETPREFIX)/$(CA_BUNDLE_DIR)/$(CA_BUNDLE)
+	if test -f $(ARCHIVE)/cacert.pem; then \
+		if test $$(find $(ARCHIVE)/cacert.pem -mtime +$(CA_BUNDLE_MAX_AGE) -print 2>/dev/null | wc -l) -gt 0; then \
+			echo "ca-bundle: cacert.pem is older than $(CA_BUNDLE_MAX_AGE) days, re-downloading..."; \
+			rm -f $(ARCHIVE)/cacert.pem; \
+		fi; \
+	fi
+	if test ! -f $(ARCHIVE)/cacert.pem; then \
+		curl -L $(CA_URL) -o $(ARCHIVE)/cacert.pem; \
+	fi
+	install -D -m 0644 $(ARCHIVE)/cacert.pem $(TARGETPREFIX)$(CA_BUNDLE_DIR)/$(CA_BUNDLE)
+	openssl verify $(TARGETPREFIX)$(CA_BUNDLE_DIR)/$(CA_BUNDLE)
 	$(TOUCH)
 
 $(D)/libcurl: $(ARCHIVE)/curl-$(LIBCURL_VER).tar.bz2 $(D)/openssl $(D)/librtmp $(D)/zlib $(D)/ca-bundle | $(TARGETPREFIX)
@@ -600,8 +608,8 @@ $(D)/libcurl: $(ARCHIVE)/curl-$(LIBCURL_VER).tar.bz2 $(D)/openssl $(D)/librtmp $
 			--without-libpsl \
 			--without-zstd \
 			--disable-ipfs \
-			--disable-ipns \
-			--with-ca-bundle=/$(CA_BUNDLE_DIR)/$(CA_BUNDLE) \
+			--with-ca-path=$(CA_BUNDLE_DIR) \
+			--with-ca-bundle=$(CA_BUNDLE_DIR)/$(CA_BUNDLE) \
 			--with-ssl=$(TARGETPREFIX) \
 			--with-librtmp=$(TARGETPREFIX)/lib \
 			--enable-optimize \
-- 
2.39.5