add script to install updated certs to dockerfile

[edmund-dunn]

Notice about main branch

Until further notice, the main branch of this repo is locked. Pull requests should be made against the integration-202510 branch.

Merges to the main branch for critical bugs or security updates are allowed. Please contact CMS Team in the #platform-cms-team channel if you need assistance.

Description

Updating certs

Ticket

Relates to department-of-veterans-affairs/va.gov-cms#22472

Developer Task

- [ ] PR submitted against the `main` branch of `next-build`.
- [ ] Link to the issue that this PR addresses (if applicable).
- [ ] Define all changes in your PR and note any changes that could potentially be breaking changes.
- [ ] PR includes steps to test your changes and links to these changes in the Tugboat preview (if applicable).
- [ ] Provided before and after screenshots of your changes (if applicable).
- [ ] Alerted the #next-build Slack channel to request a PR review.
- [ ] You understand that once approved, you are responsible for merging your changes into `main`. (Note that changes to `main` will move automatically into production.)

Testing Steps

Explain the steps needed for testing

QA steps

What needs to be checked to prove this works?
What needs to be checked to prove it didn't break any related things?
What variations of circumstances (users, actions, values) need to be checked?

Tsted container build locally, it was successful.

Screenshots

Before:
After:

Is this PR blocked by another PR?

• Add the DO NOT MERGE label
• Add links to additional PRs here:

---

Reviewer

Reviewing a PR

This section lists items that need to be checked or updated when making changes to this repository.

Standard Checks

- [ ] Code Quality: Readabilty, Naming Conventions, Consistency, Reusability
- [ ] Test Coverage: 80% coverage
- [ ] Functionality: Change functions as expected with no additional bugs
- [ ] Performance: Code does not introduce performance issues
- [ ] Documentation: Changes are documented in their respective README.md files
- [ ] Security: Packages have been approved in the TRM

Merging a Layout

When merging a layout, you must ensure that the content type has been turned on for next-build in the .tugboat.env. This method mocks the CMS flag that must be turned on for a layout to be included in the build.

The layout component and matching resource type should be included in the slug.tsx, so that it can reviewed. Including a component in the slug.tsx does not mean a page will be viewable in production only on the tugboat for the branch.

When a layout is merged to main and approved for deployment, the prod CMS will turn the toggle on for the resource type.

The status of layouts should be kept up to date inside templates.md. This includes QA progress, development progress, etc. A link should be provided for where testing can occur.

[Copilot]

Pull Request Overview

This PR adds a script to install updated VA certificates to the Dockerfile to ensure proper certificate trust in the container environment.

• Adds a new shell script install-va-certs.sh that downloads and installs VA certificates
• Updates the Dockerfile to execute the certificate installation script during the build stage
• Copies the updated certificate bundle to the production image

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
docker/install-va-certs.sh	New script that downloads VA certificates from multiple sources and converts them to proper PEM format
docker/Dockerfile	Modified to install dependencies, execute the certificate script, and copy certificates to production image

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

These wget commands download certificates over HTTP without verifying the authenticity of the downloaded files. Consider adding checksum verification or using HTTPS URLs where possible to ensure certificate integrity.

[cvalarida]

Assuming I understand what's going on, it looks good. 😄

[cvalarida]

Is this just for debugging purposes?

[cvalarida]

So if I understand it right, this script will go fetch these publicly-available certs, put them in /usr/local/share/ca-certificates/, convert them to PEM if necessary, and validate them? This is intended to be done all in Docker, which is used in Tugboat.

Is that about right?

[cvalarida]

I did a little spelunking to make sure this is the place to add CA certs in Alpine. Looks good. 👍

[va-cms-bot]

Tugboat has finished building the preview for this pull request!

Link:

• https://pr1393-zatmjtpdin9nom4k02lkwmg0kspnsvuk.tugboat.vfs.va.gov

Link (redis):

• https://pr1393-28pqxm9rcyb2uvpcengq0talxvb4u58k.tugboat.vfs.va.gov

Dashboard:

• https://tugboat.vfs.va.gov/68e97fea767fe196182db6dd