From 72f5df2e09c31679f949b4e1d1b0cdd23123f48b Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Mon, 24 Feb 2025 16:35:52 -0800
Subject: [PATCH] install: Remove --cacert and CUSTOM_CA_CERTIFICATES.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This has been broken for many years and nobody’s complained.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 scripts/lib/install                                |  9 ---------
 scripts/lib/install-node                           |  6 +-----
 scripts/lib/setup_venv.py                          | 12 ------------
 tools/fetch-contributor-data                       |  2 --
 zerver/management/commands/fetch_tor_exit_nodes.py |  6 +-----
 5 files changed, 2 insertions(+), 33 deletions(-)

diff --git a/scripts/lib/install b/scripts/lib/install
index c3f3990b53..662cb6e725 100755
--- a/scripts/lib/install
+++ b/scripts/lib/install
@@ -25,10 +25,6 @@ Options:
   --self-signed-cert
       Generate a self-signed SSL certificate for the server. This isn’t suitable for
       production use, but may be convenient for testing.  Conflicts with --certbot.
-  --cacert=/path/to/ca.pem
-      Set the CA which used to establish TLS to all public internet sites during the
-      install process; used when this command is run once in a highly-controlled
-      environment to produce an image which is used elsewhere.  Uncommon.
 
   --postgresql-database-name=zulip
       Sets the PostgreSQL database name.
@@ -120,11 +116,6 @@ while true; do
             USE_CERTBOT=1
             shift
             ;;
-        --cacert)
-            export CUSTOM_CA_CERTIFICATES="$2"
-            shift
-            shift
-            ;;
         --self-signed-cert)
             SELF_SIGNED_CERT=1
             shift
diff --git a/scripts/lib/install-node b/scripts/lib/install-node
index ac7eb8de10..877341643c 100755
--- a/scripts/lib/install-node
+++ b/scripts/lib/install-node
@@ -26,11 +26,7 @@ if ! check_version 2>/dev/null; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl_opts=(-fLO --retry 3)
-    if [ -n "${CUSTOM_CA_CERTIFICATES:-}" ]; then
-        curl_opts+=(--cacert "${CUSTOM_CA_CERTIFICATES}")
-    fi
-    curl "${curl_opts[@]}" "https://nodejs.org/dist/v$version/$tarball"
+    curl -fLO --retry 3 "https://nodejs.org/dist/v$version/$tarball"
     sha256sum -c <<<"$sha256 $tarball"
     rm -rf /srv/zulip-node
     mkdir -p /srv/zulip-node
diff --git a/scripts/lib/setup_venv.py b/scripts/lib/setup_venv.py
index 4bacba06e5..562a2cdb15 100644
--- a/scripts/lib/setup_venv.py
+++ b/scripts/lib/setup_venv.py
@@ -303,13 +303,6 @@ def setup_virtualenv(
     return cached_venv_path
 
 
-def add_cert_to_pipconf() -> None:
-    conffile = os.path.expanduser("~/.pip/pip.conf")
-    confdir = os.path.expanduser("~/.pip/")
-    os.makedirs(confdir, exist_ok=True)
-    run(["crudini", "--set", conffile, "global", "cert", os.environ["CUSTOM_CA_CERTIFICATES"]])
-
-
 def do_setup_virtualenv(venv_path: str, requirements_file: str) -> None:
     # Set up Python virtualenv
     new_packages = set(get_package_names(requirements_file))
@@ -326,11 +319,6 @@ def do_setup_virtualenv(venv_path: str, requirements_file: str) -> None:
 
     pip = os.path.join(venv_path, "bin", "pip")
 
-    # use custom certificate if needed
-    if os.environ.get("CUSTOM_CA_CERTIFICATES"):
-        print("Configuring pip to use custom CA certificates...")
-        add_cert_to_pipconf()
-
     try:
         install_venv_deps(pip, requirements_file)
     except subprocess.CalledProcessError:
diff --git a/tools/fetch-contributor-data b/tools/fetch-contributor-data
index 5bafd1ee4f..a3dc241b48 100755
--- a/tools/fetch-contributor-data
+++ b/tools/fetch-contributor-data
@@ -61,7 +61,6 @@ def fetch_contributors(repo_name: str, max_retries: int) -> list[Contributor]:
 
     api_link = f"https://api.github.com/repos/zulip/{repo_name}/contributors"
     api_data = {"anon": "1"}
-    certificates = os.environ.get("CUSTOM_CA_CERTIFICATES")
 
     headers: dict[str, str] = {}
     personal_access_token = get_secret("github_personal_access_token")
@@ -84,7 +83,6 @@ def fetch_contributors(repo_name: str, max_retries: int) -> list[Contributor]:
         response = session.get(
             api_link,
             params={**api_data, "page": f"{page_index}"},
-            verify=certificates,
             headers=headers,
         )
         response.raise_for_status()
diff --git a/zerver/management/commands/fetch_tor_exit_nodes.py b/zerver/management/commands/fetch_tor_exit_nodes.py
index 15aaa698a2..47734b59f5 100644
--- a/zerver/management/commands/fetch_tor_exit_nodes.py
+++ b/zerver/management/commands/fetch_tor_exit_nodes.py
@@ -48,12 +48,8 @@ Does nothing unless RATE_LIMIT_TOR_TOGETHER is enabled.
         if not settings.RATE_LIMIT_TOR_TOGETHER:
             return
 
-        certificates = os.environ.get("CUSTOM_CA_CERTIFICATES")
         session = TorDataSession(max_retries=options["max_retries"])
-        response = session.get(
-            "https://check.torproject.org/exit-addresses",
-            verify=certificates,
-        )
+        response = session.get("https://check.torproject.org/exit-addresses")
         response.raise_for_status()
 
         # Format: