Make httpclient respect system SSL configurationsh-fix-httpclient-ssl

By default, httpclient (and hence anything that uses rack-oauth2)
ignores the system-wide SSL certificate configuration in favor of its
own `cacert.pem`. This makes it impossible to use custom certificates
without patching that file. Until
https://github.com/nahi/httpclient/pull/386 is merged, we work around
this limitation by forcing the `HTTPClient` SSL store to use the default
system configuration.

Closes https://gitlab.com/charts/gitlab/issues/1436

2 files changed, 23 insertions, 0 deletions

diff --git a/changelogs/unreleased/sh-fix-httpclient-ssl.yml b/changelogs/unreleased/sh-fix-httpclient-ssl.yml
new file mode 100644
index 00000000000..fda4e2e7084
--- /dev/null
+++ b/changelogs/unreleased/sh-fix-httpclient-ssl.yml
@@ -0,0 +1,5 @@
+---
+title: Make httpclient respect system SSL configuration
+merge_request: 30749
+author:
+type: fixed
diff --git a/config/initializers/httpclient_patch.rb b/config/initializers/httpclient_patch.rb
new file mode 100644
index 00000000000..22cc5605d9b
--- /dev/null
+++ b/config/initializers/httpclient_patch.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# By default, httpclient (and hence anything that uses rack-oauth2)
+# ignores the system-wide SSL certificate configuration in favor of its
+# own cacert.pem. This makes it impossible to use custom certificates
+# without patching that file. Until
+# https://github.com/nahi/httpclient/pull/386 is merged, we work around
+# this limitation by forcing the HTTPClient SSL store to use the default
+# system configuration.
+module HTTPClient::SSLConfigDefaultPaths
+  def initialize(client)
+    super
+
+    set_default_paths
+  end
+end
+
+HTTPClient::SSLConfig.prepend HTTPClient::SSLConfigDefaultPaths