install: Remove --cacert and CUSTOM_CA_CERTIFICATES.

This has been broken for many years and nobody’s complained.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

scripts/lib/install

@@ -25,10 +25,6 @@ Options:
   --self-signed-cert
       Generate a self-signed SSL certificate for the server. This isn’t suitable for
       production use, but may be convenient for testing.  Conflicts with --certbot.
-  --cacert=/path/to/ca.pem
-      Set the CA which used to establish TLS to all public internet sites during the
-      install process; used when this command is run once in a highly-controlled
-      environment to produce an image which is used elsewhere.  Uncommon.
 
   --postgresql-database-name=zulip
       Sets the PostgreSQL database name.
@@ -120,11 +116,6 @@ while true; do
             USE_CERTBOT=1
             shift
             ;;
-        --cacert)
-            export CUSTOM_CA_CERTIFICATES="$2"
-            shift
-            shift
-            ;;
         --self-signed-cert)
             SELF_SIGNED_CERT=1
             shift

scripts/lib/install-node

@@ -26,11 +26,7 @@ if ! check_version 2>/dev/null; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl_opts=(-fLO --retry 3)
-    if [ -n "${CUSTOM_CA_CERTIFICATES:-}" ]; then
-        curl_opts+=(--cacert "${CUSTOM_CA_CERTIFICATES}")
-    fi
-    curl "${curl_opts[@]}" "https://nodejs.org/dist/v$version/$tarball"
+    curl -fLO --retry 3 "https://nodejs.org/dist/v$version/$tarball"
     sha256sum -c <<<"$sha256 $tarball"
     rm -rf /srv/zulip-node
     mkdir -p /srv/zulip-node

scripts/lib/setup_venv.py

@@ -303,13 +303,6 @@ def setup_virtualenv(
     return cached_venv_path
 
 
-def add_cert_to_pipconf() -> None:
-    conffile = os.path.expanduser("~/.pip/pip.conf")
-    confdir = os.path.expanduser("~/.pip/")
-    os.makedirs(confdir, exist_ok=True)
-    run(["crudini", "--set", conffile, "global", "cert", os.environ["CUSTOM_CA_CERTIFICATES"]])
-
-
 def do_setup_virtualenv(venv_path: str, requirements_file: str) -> None:
     # Set up Python virtualenv
     new_packages = set(get_package_names(requirements_file))
@@ -326,11 +319,6 @@ def do_setup_virtualenv(venv_path: str, requirements_file: str) -> None:
 
     pip = os.path.join(venv_path, "bin", "pip")
 
-    # use custom certificate if needed
-    if os.environ.get("CUSTOM_CA_CERTIFICATES"):
-        print("Configuring pip to use custom CA certificates...")
-        add_cert_to_pipconf()
-
     try:
         install_venv_deps(pip, requirements_file)
     except subprocess.CalledProcessError:

tools/fetch-contributor-data

@@ -61,7 +61,6 @@ def fetch_contributors(repo_name: str, max_retries: int) -> list[Contributor]:
 
     api_link = f"https://api.github.com/repos/zulip/{repo_name}/contributors"
     api_data = {"anon": "1"}
-    certificates = os.environ.get("CUSTOM_CA_CERTIFICATES")
 
     headers: dict[str, str] = {}
     personal_access_token = get_secret("github_personal_access_token")
@@ -84,7 +83,6 @@ def fetch_contributors(repo_name: str, max_retries: int) -> list[Contributor]:
         response = session.get(
             api_link,
             params={**api_data, "page": f"{page_index}"},
-            verify=certificates,
             headers=headers,
         )
         response.raise_for_status()

zerver/management/commands/fetch_tor_exit_nodes.py

@@ -48,12 +48,8 @@ Does nothing unless RATE_LIMIT_TOR_TOGETHER is enabled.
         if not settings.RATE_LIMIT_TOR_TOGETHER:
             return
 
-        certificates = os.environ.get("CUSTOM_CA_CERTIFICATES")
         session = TorDataSession(max_retries=options["max_retries"])
-        response = session.get(
-            "https://check.torproject.org/exit-addresses",
-            verify=certificates,
-        )
+        response = session.get("https://check.torproject.org/exit-addresses")
         response.raise_for_status()
 
         # Format: