Add openssl_ca_certs_file and openssl_ca_certs_dir config options

config/config.example.yml

@@ -140,6 +140,28 @@ https_only: false
 ##
 #pool_size: 100
 
+##
+## File containing the Certificate Authorities, in the PEM format
+## as expected by OpenSSL. For example, /etc/ssl1.1/certs.pem on Alpine.
+## By default, Invidious by using Crystal standard library will use
+## the default setting from the crystal binary it was compiled with.
+## This option is incompatible with openssl_ca_certs_dir.
+##
+## Default: <none>
+##
+#openssl_ca_certs_file:
+
+##
+## Folder containing the Certificate Authorities, in the PEM format
+## as expected by OpenSSL. For example, /etc/ssl/certs/ on Debian.
+## By default, Invidious by using Crystal standard library will use
+## the default setting from the crystal binary it was compiled with.
+## This option is incompatible with openssl_ca_certs_file.
+##
+## Default: <none>
+##
+#openssl_ca_certs_dir:
+
 
 ##
 ## Additional cookies to be sent when requesting the youtube API.

src/invidious/config.cr

@@ -126,6 +126,10 @@ class Config
   property host_binding : String = "0.0.0.0"
   # Pool size for HTTP requests to youtube.com and ytimg.com (each domain has a separate pool of `pool_size`)
   property pool_size : Int32 = 100
+  # CA certificates file for OpenSSL
+  property openssl_ca_certs_file : String? = nil
+  # CA certificates folder for OpenSSL
+  property openssl_ca_certs_dir : String? = nil
 
   # Use Innertube's transcripts API instead of timedtext for closed captions
   property use_innertube_for_captions : Bool = false
@@ -232,6 +236,12 @@ class Config
       end
     end
 
+    # We can only have openssl_ca_certs_file or openssl_ca_certs_dir, not both
+    if !(config.openssl_ca_certs_file.nil? || config.openssl_ca_certs_dir.nil?)
+      puts "Config: You can't have both openssl_ca_certs_file and openssl_ca_certs_folder."
+      exit(1)
+    end
+
     return config
   end
 end

src/invidious/yt_backend/connection_pool.cr

@@ -35,7 +35,14 @@ struct YoutubeConnectionPool
         response = yield conn
       rescue ex
         conn.close
-        conn = HTTP::Client.new(url)
+
+        tls_context = OpenSSL::SSL::Context::Client.new
+        if CONFIG.openssl_ca_certs_dir != nil
+          tls_context.ca_certificates_path = CONFIG.openssl_ca_certs_dir.not_nil!
+        elsif CONFIG.openssl_ca_certs_file != nil
+          tls_context.ca_certificates = CONFIG.openssl_ca_certs_file.not_nil!
+        end
+        conn = HTTP::Client.new(url, tls: tls_context)
 
         conn.family = CONFIG.force_resolve
         conn.family = Socket::Family::INET if conn.family == Socket::Family::UNSPEC
@@ -51,7 +58,13 @@ struct YoutubeConnectionPool
 
   private def build_pool
     DB::Pool(HTTP::Client).new(initial_pool_size: 0, max_pool_size: capacity, max_idle_pool_size: capacity, checkout_timeout: timeout) do
-      conn = HTTP::Client.new(url)
+      tls_context = OpenSSL::SSL::Context::Client.new
+      if CONFIG.openssl_ca_certs_dir != nil
+        tls_context.ca_certificates_path = CONFIG.openssl_ca_certs_dir.not_nil!
+      elsif CONFIG.openssl_ca_certs_file != nil
+        tls_context.ca_certificates = CONFIG.openssl_ca_certs_file.not_nil!
+      end
+      conn = HTTP::Client.new(url, tls: tls_context)
       conn.family = CONFIG.force_resolve
       conn.family = Socket::Family::INET if conn.family == Socket::Family::UNSPEC
       conn.before_request { |r| add_yt_headers(r) } if url.host == "www.youtube.com"