Infra: Honour archive-query-tls-curl-ca-args

diff --git a/dgit b/dgit
index 4986dd081e35142222cd1152d9e18eababd5c763..eea4dbc53fbbbd5e89022116ada26abfbec82a24 100755 (executable)
--- a/dgit
+++ b/dgit
@@ -452,6 +452,10 @@ our %defcfg = ('dgit.default.distro' => 'debian',
  'dgit-distro.debian.archive-query-url', 'https://api.ftp-master.debian.org/',
  'dgit-distro.debian.archive-query-tls-key',
     '/etc/ssl/certs/%HOST%.pem:/etc/dgit/%HOST%.pem',
+#
+# 'dgit-distro.debian.archive-query-tls-curl-args',
+#   '--ca-path=/etc/ssl/ca-debian',
+# ^ this is a workaround but works (only) on DSA-administered machines
               'dgit-distro.debian.diverts.alioth' => '/alioth',
               'dgit-distro.debian/alioth.git-host' => 'git.debian.org',
               'dgit-distro.debian/alioth.git-user-force' => '',
@@ -716,6 +720,10 @@ sub archive_api_query_cmd ($) {
            push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
            last;
        }
+       # Fixing #790093 properly will involve providing a value
+       # for this on clients.
+       my $keys = access_cfg('archive-query-tls-curl-ca-args','RETURN-UNDEF');
+       push @cmd, split / /, $keys if defined $keys;
     }
     push @cmd, $url.$subpath;
     return @cmd;

diff --git a/infra/get-dm-txt b/infra/get-dm-txt
index 9885f9eae268d5b46134329c0bf66e8a5bdd5208..02e73f0e0dddf5ab10bdc1941bb0589ecef02bec 100755 (executable)
--- a/infra/get-dm-txt
+++ b/infra/get-dm-txt
@@ -6,9 +6,8 @@ cd ${DGIT_INFRA_GETDMTXT_DATADIR-/srv/dgit.debian.org/data}
 file=dm.txt
 server=ftp-master.debian.org
 path=$file
-cert=/etc/ssl/certs/$server.pem
 
-certargs="--cacert=$cert --capath=/dev/enoent"
+certargs=$(git config dgit-distro.debian.archive-query-tls-curl-ca-args)
 
 with-lock-ex -f $file.lock sh -c "
        if ! curl $certargs \