Add support to custom CA certificate stores

[kitoid]

Many corporate environments are protected by firewalls that act as SSL Forward Proxy, effectively breaking the SSL connection and replacing the root certificate for one owned by the organization. For the general browsing use case that is not an issue, since the organization root CA is added to the trusted certificate store of all clients OS.

Unfortunately, command line tools (such as gleam) are generally not aware about those custom trusted certificates, and therefore the SSL connection fails when trying to obtain Hex packages: Unable to determine package versions: error sending request for url (https://repo.hex.pm/packages/gleeunit): error trying to connect: invalid peer certificate: UnknownIssuer

The most "convenient" approach for Windows users would be to configure Gleam to be able to use the OS certificate store, so any changes on the corporate certificate configuration can immediately be used by Gleam without any configuration changes. For instance, in Git this is solved by choosing the SChannel SSL backend mechanism: git config --global http.sslBackend schannel

However this solution would require the usage of a Windows specific API, and will not solve the problem for other non-Windows users.

Alternatively, an environment variable or a configuration setting can be used to specify the location of the trusted custom certificate store.

For instance, when using Elixir in a corporate environment, in order to retrieve Hex dependencies using mix you have the following two options to specify the path to the CA certificate store PEM file:

1. Set the HEX_CACERTS_PATH environment variable to point to the custom certificate store.
2. Use "mix hex.config cacerts_path /your/certificate/store.pem"

More background about this issue can be found on the related Github discussion page.

[lpil]

Adding an environment variable sounds fab!