feat(conf): use openssl to detect system ca-certs path #10788
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
e488917
to
f3bb0b2
Compare
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
f3bb0b2
to
264ef88
Compare
|
Alternatively we could make |
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
264ef88
to
7ef0fea
Compare
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
7ef0fea
to
8ef2523
Compare
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
8ef2523
to
a7696c3
Compare
bungle
force-pushed
the
feat/system-trusted-certs-path
branch
from
a7696c3
to
b02faf3
Compare
fffonion
reviewed
Jun 6, 2023
| for _, cert_dir in ipairs(cert_dirs) do | ||
| for _, cert_file in ipairs(cert_files) do | ||
| local ca_file = pl_path.join(openssl_dir, cert_dir, cert_file) | ||
| if pl_path.exists(ca_file) then |
There was a problem hiding this comment.
this logic will seldomly get picked up because we ships our own openssl library, and its OPENSSL_DIR is not same as the system openssl dir, which usually doesn't contain the ca file.
There was a problem hiding this comment.
Should we install root certs then too? Or symlink?
At some point I thought about just downloading this: https://curl.se/docs/caextract.html
### Summary Previously the code ran through these paths: - "/etc/ssl/certs/ca-certificates.crt", -- Debian/Ubuntu/Gentoo - "/etc/pki/tls/certs/ca-bundle.crt", -- Fedora/RHEL 6 - "/etc/ssl/ca-bundle.pem", -- OpenSUSE - "/etc/pki/tls/cacert.pem", -- OpenELEC - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7 - "/etc/ssl/cert.pem", -- OpenBSD, Alpine when trying to find system ca-file. The commit here asks `openssl` about it and tries from there first. Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
vm-001
force-pushed
the
feat/system-trusted-certs-path
branch
from
b02faf3
to
6b86195
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Previously the code ran through these paths:
when trying to find system ca-file.
The commit here asks
opensslabout it and tries from there first.