SSL CA bundle is in a non-standard place for Linux distros

[ncw]

This is causing a problem for rclone/rclone#466 as the go runtime can't find the SSL certificates in openelec 7 beta.

Go doesn't use openssl it has its own SSL implementation, but it relies on finding the root certificates in a standard place.

The Go runtime looks for SSL certificates in these places (note the openelec < 7 work-around).

// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
    "/etc/ssl/ca-bundle.pem",             // OpenSUSE
    "/etc/pki/tls/cacert.pem",            // OpenELEC
}

and from these directories

// Possible directories with certificate files; stop after successfully
// reading at least one file from a directory.
var certDirectories = []string{
        "/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
        "/system/etc/security/cacerts", // Android
}

I can propose a change to the go project to look in /etc/ssl/cert.pem but it seems to me that storing the CA bundle in one of the standard places (or back in /etc/pki/tls/cacert.pem) would be a better idea for openelec and avoid the go source becoming cluttered up with openelec exceptions!

This change was introduced in c2e0fdc as far as I can see

[stefansaraev]

why is /etc/pki/tls/cacert.pem "standard" but /etc/ssl/cert.pem not? is the "standard" defined somewhere?

[escalade]

A symlink to the old location would save the Go devs from supporting yet another variation and save users of Go related addons headache after upgrading.

[lrusak]

Just patch golang, https://github.com/LibreELEC/LibreELEC.tv/blob/master/packages/addons/addon-depends/go/patches/go-0001-add-ca-cert-location.patch

[ncw]

@sraue thanks for fixing this - looks good.