MB-51030: Ensure CURL_CA_BUNDLE is set in environment when running Se…

…rver Change-Id: Idf743917423ab1f0512d48cd419fe432a5a763b5 Reviewed-on: https://review.couchbase.org/c/ns_server/+/171566 Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Bryan McCoid <bryan.mccoid@couchbase.com> Tested-by: Chris Hillery <ceej@couchbase.com>
couchbase · Mar 1, 2022 · 4614f3a · 4614f3a
1 parent 459ef03
commit 4614f3a
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/couchbase-server.sh.in b/couchbase-server.sh.in
@@ -115,6 +115,26 @@ EOF
     fi
 }
 
+_config_curl_env() {
+    # Search for the distro-provided certificate bundle. Uses the
+    # same hunt algorithm as Golang:
+    # https://golang.org/src/crypto/x509/root_linux.go
+    cert_files=(
+        "/etc/ssl/certs/ca-certificates.crt"                # Debian/Ubuntu/Gentoo etc.
+        "/etc/pki/tls/certs/ca-bundle.crt"                  # Fedora/RHEL 6
+        "/etc/ssl/ca-bundle.pem"                            # OpenSUSE
+        "/etc/pki/tls/cacert.pem"                           # OpenELEC
+        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" # CentOS/RHEL 7
+        "/etc/ssl/cert.pem"                                 # Alpine Linux
+    )
+    for cert_file in ${cert_files[@]}; do
+        if [ -e "${cert_file}" ]; then
+            export CURL_CA_BUNDLE=${cert_file}
+            break
+        fi
+    done
+}
+
 _check_datadir_writeable() {
     operation="$1"
     if [ ! -w $CB_DATA_DIR ]; then
@@ -196,6 +216,9 @@ _start() {
     _check_ulimit -u 10000 "maximum number of processes" "nproc"
     _check_ulimit -n 200000 "maximum number of open files" "nofile"
 
+    # Detect curl cabundle and set environment.
+    _config_curl_env
+
     _maybe_start_epmd
     _load_config