Merge pull request #1264 from shlevy/s3-ca-file

Properly set the caFile for aws-sdk-cpp s3

src/libstore/download.cc

@@ -224,8 +224,7 @@ struct CurlDownloader : public Downloader
                 curl_easy_setopt(req, CURLOPT_NOBODY, 1);
 
             if (request.verifyTLS)
-                curl_easy_setopt(req, CURLOPT_CAINFO,
+                curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
-                    getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")).c_str());
             else {
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);

src/libstore/globals.cc

@@ -69,6 +69,7 @@ Settings::Settings()
     showTrace = false;
     enableImportNative = false;
     netrcFile = fmt("%s/%s", nixConfDir, "netrc");
+    caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
 }
 
 

src/libstore/globals.hh

@@ -195,6 +195,9 @@ struct Settings {
        downloads. */
     Path netrcFile;
 
+    /* Path to the SSL CA file used */
+    Path caFile;
+
 private:
     SettingsMap settings, overrides;
 

src/libstore/s3-binary-cache-store.cc

@@ -77,6 +77,7 @@ ref<Aws::Client::ClientConfiguration> S3Helper::makeConfig()
     res->region = Aws::Region::US_EAST_1; // FIXME: make configurable
     res->requestTimeoutMs = 600 * 1000;
     res->retryStrategy = std::make_shared<RetryStrategy>();
+    res->caFile = settings.caFile;
     return res;
 }