db: Add Crunchybridge certificate as root certificate

Turbo87 · Turbo87 · commit 0c9c182c98e3 · 2024-07-30T10:38:46.000+02:00
… because otherwise the native TLS stack on our server complains about the self-signed certificate in the cert chain.
diff --git a/src/certs/crunchy.pem b/src/certs/crunchy.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAUqgAwIBAgIJAMDLUd0ypWHdMAoGCCqGSM49BAMDMCUxIzAhBgNVBAMM
+GnJqamxwMmxnbWJjanZvamV4YjN3NndsNTVlMB4XDTI0MDYwNTA2MjcyOVoXDTQ0
+MDUzMTA2MjcyOVowJTEjMCEGA1UEAwwacmpqbHAybGdtYmNqdm9qZXhiM3c2d2w1
+NWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4J3uDAfsWOQFD6XAwpPWOvviY
+kCPqyJ37OGMOhA70zvQKOnxTmrKu2p7lsyVrnbCtD4Ve11CouI4iDPeVmK/wo2Mw
+YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUy5m8
+qXuAIReA7KFV1fKaHLPZo14wHwYDVR0jBBgwFoAUy5m8qXuAIReA7KFV1fKaHLPZ
+o14wCgYIKoZIzj0EAwMDRwAwRAIgQfpsO+B96Xse+ushnl+0Abx2tx0F5ac+K0L/
+x4uyKP4CIBaCSz+Oa/rG30W2F0VVtJN8guKFvnCMy7Gg/XCGGx8l
+-----END CERTIFICATE-----
diff --git a/src/certs/mod.rs b/src/certs/mod.rs
@@ -1,4 +1,8 @@
-//! Certificates from <https://letsencrypt.org/certificates/>.
-
+/// Certificate from <https://letsencrypt.org/certificates/>.
 pub const ISRG_ROOT_X1: &[u8] = include_bytes!("./isrg-root-x1.pem");
+
+/// Certificate from <https://letsencrypt.org/certificates/>.
 pub const ISRG_ROOT_X2: &[u8] = include_bytes!("./isrg-root-x2.pem");
+
+/// crates.io team certificate from <https://crunchybridge.com/>.
+pub const CRUNCHY: &[u8] = include_bytes!("./crunchy.pem");
diff --git a/src/db.rs b/src/db.rs
@@ -1,8 +1,9 @@
+use crate::certs::CRUNCHY;
 use diesel::{Connection, ConnectionResult, PgConnection, QueryResult};
 use diesel_async::pooled_connection::deadpool::{Hook, HookError};
 use diesel_async::pooled_connection::ManagerConfig;
 use diesel_async::{AsyncPgConnection, RunQueryDsl};
-use native_tls::TlsConnector;
+use native_tls::{Certificate, TlsConnector};
 use postgres_native_tls::MakeTlsConnector;
 use secrecy::ExposeSecret;
 use std::time::Duration;
@@ -60,7 +61,10 @@ pub fn make_manager_config() -> ManagerConfig<AsyncPgConnection> {
 async fn establish_async_connection(url: &str) -> ConnectionResult<AsyncPgConnection> {
     use diesel::ConnectionError::BadConnection;
 
+    let cert = Certificate::from_pem(CRUNCHY).map_err(|err| BadConnection(err.to_string()))?;
+
     let connector = TlsConnector::builder()
+        .add_root_certificate(cert)
         // The TLS certificate of our current database server has a long validity
         // period and OSX rejects such certificates as "not trusted". If you run
         // into "Certificate was not trusted" errors during local development,
