From 6a370a002d008dffaf9f47b7db3da47b40e57254 Mon Sep 17 00:00:00 2001
From: Peter Amstutz <peter.amstutz@curoverse.com>
Date: Fri, 16 Dec 2016 12:21:06 -0500
Subject: [PATCH] 10684: Add -ca-certs option

---
 sdk/go/arvadosclient/arvadosclient.go | 10 +++++++---
 sdk/go/keepclient/keepclient.go       |  1 -
 services/crunch-run/crunchrun.go      |  3 +++
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/sdk/go/arvadosclient/arvadosclient.go b/sdk/go/arvadosclient/arvadosclient.go
index dc3eddba65..021b9471ff 100644
--- a/sdk/go/arvadosclient/arvadosclient.go
+++ b/sdk/go/arvadosclient/arvadosclient.go
@@ -105,7 +105,11 @@ type ArvadosClient struct {
 	Retries int
 }
 
-var CertFiles = []string{"/etc/arvados/ca-certificates.crt"}
+var CertFiles = []string{
+	"/etc/arvados/ca-certificates.crt",
+	"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
+	"/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
+}
 
 // MakeTLSConfig sets up TLS configuration for communicating with Arvados and Keep services.
 func MakeTLSConfig(insecure bool) *tls.Config {
@@ -119,14 +123,14 @@ func MakeTLSConfig(insecure bool) *tls.Config {
 			if err == nil {
 				success := certs.AppendCertsFromPEM(data)
 				if !success {
-					fmt.Errorf("Did not load any certificates from %v", file)
+					fmt.Printf("Unable to load any certificates from %v", file)
 				} else {
 					tlsconfig.RootCAs = certs
 					break
 				}
 			}
 		}
-		// Will use system default CA roots if /etc/arvados/ca-certificates.crt not found.
+		// Will use system default CA roots instead.
 	}
 
 	return &tlsconfig
diff --git a/sdk/go/keepclient/keepclient.go b/sdk/go/keepclient/keepclient.go
index 1df0fa3f6a..79a87156a6 100644
--- a/sdk/go/keepclient/keepclient.go
+++ b/sdk/go/keepclient/keepclient.go
@@ -4,7 +4,6 @@ package keepclient
 import (
 	"bytes"
 	"crypto/md5"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"git.curoverse.com/arvados.git/sdk/go/arvadosclient"
diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index b14fa2c28b..10b3a61c88 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -912,10 +912,13 @@ func main() {
 	cgroupRoot := flag.String("cgroup-root", "/sys/fs/cgroup", "path to sysfs cgroup tree")
 	cgroupParent := flag.String("cgroup-parent", "docker", "name of container's parent cgroup (ignored if -cgroup-parent-subsystem is used)")
 	cgroupParentSubsystem := flag.String("cgroup-parent-subsystem", "", "use current cgroup for given subsystem as parent cgroup for container")
+	caCertsPath := flag.String("ca-certs", "/etc/arvados/ca-certificates.crt", "Path to TLS root certificates")
 	flag.Parse()
 
 	containerId := flag.Arg(0)
 
+	arvadosclient.CertFiles = []string{*caCertsPath}
+
 	api, err := arvadosclient.MakeArvadosClient()
 	if err != nil {
 		log.Fatalf("%s: %v", containerId, err)
-- 
2.30.2