Merge "Replace pip-installed requests CA bundle with link"

lib/tls

@@ -202,6 +202,7 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 # Create root and intermediate CAs
 # init_CA
 function init_CA {
+    fix_system_ca_bundle_path
     # Ensure CAs are built
     make_root_CA $ROOT_CA_DIR
     make_int_CA $INT_CA_DIR $ROOT_CA_DIR
@@ -338,6 +339,29 @@ function make_root_CA {
         -outform PEM
 }
 
+# If a non-system python-requests is installed then it will use the
+# built-in CA certificate store rather than the distro-specific
+# CA certificate store. Detect this and symlink to the correct
+# one. If the value for the CA is not rooted in /etc then we know
+# we need to change it.
+function fix_system_ca_bundle_path {
+    if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+        local capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
+
+        if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then
+            if is_fedora; then
+                sudo rm -f $capath
+                sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath
+            elif is_ubuntu; then
+                sudo rm -f $capath
+                sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath
+            else
+                echo "Don't know how to set the CA bundle, expect the install to fail."
+            fi
+        fi
+    fi
+}
+
 
 # Certificate Input Configuration
 # ===============================