Add automatic CA certificate trust setup

Adds InstallCACertificate() method that:
- Installs CA cert to /usr/local/share/ca-certificates/ (Linux)
- Runs update-ca-certificates for system-wide trust
- Sets environment variables for tool-specific trust:
  - SSL_CERT_FILE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, NODE_EXTRA_CA_CERTS

Gracefully handles permission errors and continues operation.
Tools inside jail will now automatically trust proxy certificates.

Co-authored-by: f0ssel <19379394+f0ssel@users.noreply.github.com>

Author: blink-so[bot]

main.go

@@ -154,6 +154,11 @@ func runBoundary(inv *serpent.Invocation) error {
 			return fmt.Errorf("failed to create certificate manager: %v", err)
 		}
 
+		// Automatically install CA certificate for system and tool trust
+		if err := certManager.InstallCACertificate(); err != nil {
+			logger.Warn("Failed to install CA certificate, manual setup may be required", "error", err)
+		}
+
 		tlsConfig = certManager.GetTLSConfig()
 
 		// Get CA certificate for environment

tls/tls.go

@@ -12,6 +12,7 @@ import (
 	"math/big"
 	"net"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"sync"
 	"time"
@@ -293,6 +294,69 @@ func (cm *CertificateManager) generateServerCertificate(hostname string) (*tls.C
 	return tlsCert, nil
 }
 
+// InstallCACertificate installs the CA certificate into the system trust store
+func (cm *CertificateManager) InstallCACertificate() error {
+	// Get CA certificate in PEM format
+	caCertPEM, err := cm.GetCACertPEM()
+	if err != nil {
+		return fmt.Errorf("failed to get CA certificate: %v", err)
+	}
+
+	// Install system-wide certificate (Linux)
+	if err := cm.installSystemCertificate(caCertPEM); err != nil {
+		cm.logger.Warn("Failed to install system certificate, continuing anyway", "error", err)
+	}
+
+	// Set up environment variables for tool-specific trust
+	if err := cm.setupEnvironmentVariables(); err != nil {
+		cm.logger.Warn("Failed to setup environment variables", "error", err)
+	}
+
+	cm.logger.Info("CA certificate trust setup completed")
+	return nil
+}
+
+// installSystemCertificate installs the CA certificate system-wide on Linux
+func (cm *CertificateManager) installSystemCertificate(caCertPEM []byte) error {
+	// Write certificate to system certificate directory
+	certPath := "/usr/local/share/ca-certificates/boundary-ca.crt"
+	if err := os.WriteFile(certPath, caCertPEM, 0644); err != nil {
+		return fmt.Errorf("failed to write certificate to %s: %v", certPath, err)
+	}
+
+	// Update system certificate store
+	cmd := exec.Command("update-ca-certificates")
+	if output, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("failed to update ca certificates: %v, output: %s", err, output)
+	}
+
+	cm.logger.Info("System CA certificate installed", "path", certPath)
+	return nil
+}
+
+// setupEnvironmentVariables sets up environment variables for tool-specific certificate trust
+func (cm *CertificateManager) setupEnvironmentVariables() error {
+	caCertPath := filepath.Join(cm.configDir, "ca-cert.pem")
+	
+	// Set environment variables for various tools
+	envVars := map[string]string{
+		"SSL_CERT_FILE":      caCertPath,
+		"REQUESTS_CA_BUNDLE": caCertPath,
+		"CURL_CA_BUNDLE":     caCertPath,
+		"NODE_EXTRA_CA_CERTS": caCertPath,
+	}
+
+	for key, value := range envVars {
+		if err := os.Setenv(key, value); err != nil {
+			cm.logger.Warn("Failed to set environment variable", "key", key, "error", err)
+		} else {
+			cm.logger.Debug("Set environment variable", "key", key, "value", value)
+		}
+	}
+
+	return nil
+}
+
 // GetConfigDir returns the configuration directory path
 func GetConfigDir() (string, error) {
 	homeDir, err := os.UserHomeDir()