From 09f43d3eb8e00f2eb829a70c1dd756e9ec3ad4ce Mon Sep 17 00:00:00 2001
From: Louis Lam <louislam@users.noreply.github.com>
Date: Sun, 31 May 2026 08:37:30 +0800
Subject: [PATCH] fix(docker-only): add Let's Encrypt Gen Y root certificates
 (#7453)

---
 docker/debian-base.dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docker/debian-base.dockerfile b/docker/debian-base.dockerfile
index 10471af2a..91b1a2f7f 100644
--- a/docker/debian-base.dockerfile
+++ b/docker/debian-base.dockerfile
@@ -58,6 +58,11 @@ RUN curl https://pkg.cloudflare.com/cloudflare-main.gpg --output /usr/share/keyr
 COPY ./docker/etc/nscd.conf /etc/nscd.conf
 COPY ./docker/etc/sudoers /etc/sudoers
 
+# Debian bookworm does not have Let's Encrypt's Gen Y root certs.
+# Not sure if it is the best solution, and not sure if Debian will add them in the future, but for now we can just add them manually.
+RUN curl -fsSL https://letsencrypt.org/certs/gen-y/root-ye.pem -o /usr/local/share/ca-certificates/isrg-root-ye.crt && \
+    curl -fsSL https://letsencrypt.org/certs/gen-y/root-yr.pem -o /usr/local/share/ca-certificates/isrg-root-yr.crt && \
+    update-ca-certificates
 
 # Full Base Image
 # MariaDB, Chromium and fonts