handle CA certificate

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>

deployment/check/data-model-tf-proxmox/nixosTest.nix

@@ -134,10 +134,32 @@ in
 
     # pve.succeed("pvesh set /access/password --userid root@pam --password mypwdlol --confirmation-password mytestpw 1>&2")
     # pve.succeed("curl -s -i -k -d '{\"userid\":\"root@pam\",\"password\":\"mypwdhaha\",\"confirmation-password\":\"mypwdlol\"}' -X PUT https://localhost:8006/api2/json/access/password 1>&2")
+    cert = pve.succeed("cat /etc/pve/pve-root-ca.pem").strip()
+
+    # skip indent for EOF
+    deployer.succeed(f"""
+    cat > /etc/ssl/certs/pve-root-ca.pem <<EOF
+    {cert}
+    EOF
+    """)
+
+    deployer.succeed("""
+      set -xe
+      cd /etc/ssl/certs
+      { cat ca-bundle.crt
+        cat ca-certificates.crt
+        cat pve-root-ca.pem
+      } > new-ca-bundle.crt
+      rm ca-bundle.crt ca-certificates.crt
+      mv new-ca-bundle.crt ca-bundle.crt
+      ln -s ca-bundle.crt ca-certificates.crt
+      openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
+    """)
 
     with subtest("Run the deployment"):
-      deployer.succeed("""
+      deployer.succeed(f"""
-        ${lib.getExe deployment.run}
+        export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
+        ${lib.getExe deployment.run} >&2
       """)
       # target.succeed("su - operator -c hello 1>&2")
   '';