Allowing xe VM import URL via HTTPS

[olivierlambert]

Hi there!

FYI, @psafont give me the hint on where to look and what's missing, so it should be accurate.

Currently, it's not possible to import a VM with xe and URL if we use HTTPS:

xe vm-import url=https://xoa.io/xva
The server failed to handle your request, due to an internal error. The given message may give details useful for debugging the problem.
message: Unix.Unix_error(Unix.ECONNRESET, "read", "")

It seems to try connecting on the URI via ocaml/xapi/xapi_vm.ml around line 1515. The issue is that by default the certificates trusted by default are the pool (internal) ones. Currently only two bundles can be used to trust that URI:

let appliance =
  {
    sni= None
  ; verify= CheckHost
  ; cert_bundle_path= "/etc/stunnel/xapi-stunnel-ca-bundle.pem"
  }

let pool =
  {
    sni= Some "pool"
  ; verify= VerifyPeer
  ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
  }

Maybe we can add the same trust as a browser, so we could download securely from an HTTPS URL. The question is to know if plumbing work would be the correct approach for this, or any other alternative. Hints appreciated so we could potentially contribute in the right direction. Thanks!