Configure the AMQP CA path automatically

[stof]

To enable TLS, ext-amqp does not support reading the CA store of the OS automatically (nor the OpenSSL one used by PHP for stream wrappers). Instead, it requires configuring it either in the php.ini in amqp.cacert or by passing the cacert option when instantiating the connection.

It would be great if the buildpack could automatically configure this amqp.cacert parameter to point to the default cert file on the system.

For reference, running php -r 'var_dump(openssl_get_cert_locations()["default_cert_file"]);' in a one-off dyno shows it as being at /usr/lib/ssl/cert.pem.

[dzuelke]

So the trouble is that /usr/lib/ssl/cert.pem does not exist on Ubuntu systems. Instead, OpenSSL loads specific CAs from default_cert_dir if told to do so, and that's the behavior most programs and libraries rely upon these days.

The extension uses amqp_ssl_socket_set_cacert, which in turn only passes *CAfile to SSL_CTX_load_verify_locations(), not *CApath, which would immediately allow also passing a directory.

However, there is now an API to enable loading of default certs in librabbitmq: https://github.com/alanxz/rabbitmq-c/pull/790 - it calls SSL_CTX_set_default_verify_paths() under the hood, which is exactly what you want ;)

I think the best solution here is for ext-amqp to implement this API (once it's in a release). Maybe even by default if amqp.cacert is not set.

The library might also benefit from a way to set a directory instead of a file.

Might also be worth asking @alanxz to cut a release sometime soon-ish with that recent change included, and to work with Debian/Ubuntu maintainers to update https://salsa.debian.org/debian/librabbitmq and https://launchpad.net/ubuntu/+source/librabbitmq to use the new version. Feature freeze for Noble Numbat (24.04) isn't until February 29, but these things take time (you want the update in Debian first, then Ubuntu pulls it in): https://discourse.ubuntu.com/t/noble-numbat-release-schedule/35649