From 6238b12f885faf2acd04baf4c4d8d37f3301faad Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Mon, 13 Oct 2025 18:25:42 +0200
Subject: [PATCH] handle CA certificate

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
---
 .../check/data-model-tf-proxmox/nixosTest.nix | 26 +++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/deployment/check/data-model-tf-proxmox/nixosTest.nix b/deployment/check/data-model-tf-proxmox/nixosTest.nix
index 56a3fbee..cb8578ad 100644
--- a/deployment/check/data-model-tf-proxmox/nixosTest.nix
+++ b/deployment/check/data-model-tf-proxmox/nixosTest.nix
@@ -134,10 +134,32 @@ in
 
     # pve.succeed("pvesh set /access/password --userid root@pam --password mypwdlol --confirmation-password mytestpw 1>&2")
     # pve.succeed("curl -s -i -k -d '{\"userid\":\"root@pam\",\"password\":\"mypwdhaha\",\"confirmation-password\":\"mypwdlol\"}' -X PUT https://localhost:8006/api2/json/access/password 1>&2")
+    cert = pve.succeed("cat /etc/pve/pve-root-ca.pem").strip()
+
+    # skip indent for EOF
+    deployer.succeed(f"""
+    cat > /etc/ssl/certs/pve-root-ca.pem <<EOF
+    {cert}
+    EOF
+    """)
+
+    deployer.succeed("""
+      set -xe
+      cd /etc/ssl/certs
+      { cat ca-bundle.crt
+        cat ca-certificates.crt
+        cat pve-root-ca.pem
+      } > new-ca-bundle.crt
+      rm ca-bundle.crt ca-certificates.crt
+      mv new-ca-bundle.crt ca-bundle.crt
+      ln -s ca-bundle.crt ca-certificates.crt
+      openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
+    """)
 
     with subtest("Run the deployment"):
-      deployer.succeed("""
-        ${lib.getExe deployment.run}
+      deployer.succeed(f"""
+        export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
+        ${lib.getExe deployment.run} >&2
       """)
       # target.succeed("su - operator -c hello 1>&2")
   '';