alisw
Prefer using system or CVMFS CA certs
Try to detect when we can use system certificates or those from CVMFS, and prefer them if possible. This should avoid situations where old O2 tags have expired certs pinned.
Still fallback to the old behaviour, which is fine for CI and local development.
Cc: @ktf @adriansev
One weirdness I've run into is that old OpenSSL versions (1.0.2k, on CentOS 7) don't exit with an error status when the CA cert is expired, they only print an error message. This might have to be handled specially...
Hi @TimoWilken Would be possible to take into account and honor X509_USER_CERT, X509_USER_KEY, X509_CERT_FILE, X509_CERT_DIR? Maybe, even check if X509_CERT_DIR, X509_CERT_FILE are set and if so, keep them? Also, AFAIK, on macos cvmfs is mounted under /Users/Shared, but i'm not sure if macos users are a targer for this.. Also, for the moment the actual package that export X509_CERT_DIR is alien-runtime
also, unrelated directly to this but could be worth mentioning, we do a lot of find rsync stuff .. wouldn't be easier to do this directly in alien-cas repository and then just point X509_CERT_DIR to that location? (and also as Giulio already suggested, by adding tags to alien-cas with the same name/ver as IGTF would be easier to manage versioning)