system: kill the SSL bundles in default locations

Neither OpenSSL base (/etc/ssl) nor ports (/usr/local/openssl) need
the bundle file now that we use the directory trust store.  The downside
is that as soon as the bundle exists OpenSSL library will read both the
directory and the bundle by default defeating the purpose of a single
location and the directory being faster.

Keep the fringe ca_root_nss location /usr/local/etc/ssl since that is
still seeded by the package but controlled and topped up by the user
configured authorities.

src/etc/inc/system.inc

@@ -985,7 +985,10 @@ function system_trust_configure($verbose = false)
         $ca_bundle[] = file_get_contents($file);
     }
     $ca_bundle = join("\n", $ca_bundle);
-    foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem', '/usr/local/etc/ssl/cert.pem'] as $pem) {
+    foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem'] as $pem) {
+        @unlink($pem); /* remove permanently as we use the directory */
+    }
+    foreach (['/usr/local/etc/ssl/cert.pem'] as $pem) {
         @unlink($pem); /* do not clobber symlink target */
         file_put_contents($pem, $ca_bundle);
         chmod($pem, 0644);
@@ -1142,7 +1145,7 @@ function system_cron_configure($verbose = false)
     $crontab_contents .= "# /etc/crontab, see the crontab(5) manual page.\n";
     $crontab_contents .= "SHELL=/bin/sh\n";
     $crontab_contents .= "PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\n";
-    $crontab_contents .= "REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem\n";
+    $crontab_contents .= "REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem\n";
     $crontab_contents .= "#minute\thour\tmday\tmonth\twday\tcommand\n";
 
     foreach ($autocron as $item) {

src/etc/rc

@@ -38,7 +38,7 @@ trap "echo 'Boot interrupted'; exit 1" 3
 
 HOME=/
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 ZPOOL_IMPORT_PATH=/dev
 export HOME PATH REQUESTS_CA_BUNDLE ZPOOL_IMPORT_PATH
 

src/etc/rc.syshook

@@ -42,7 +42,7 @@
 # suffix is moved to the new subdirectory during a request.
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 SYSDIR="/usr/local/etc/rc.syshook.d"
 SYSLEVEL="${1}"
 

src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php

@@ -349,7 +349,7 @@ class LDAP extends Base implements IAuthConnector
         // Note: All TLS options must be set before ldap_connect is called
         if ($this->ldapURLType != "standard") {
             ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
-            ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
+            ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/usr/local/etc/ssl/cert.pem');
         } else {
             ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
         }

src/opnsense/service/conf/configd.conf

@@ -4,5 +4,5 @@ pid_filename:/var/run/configd.pid
 
 [environment]
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 HOME=/

src/opnsense/site-python/tls_helper.py

@@ -73,7 +73,7 @@ class PlatformTLSAdaptor(HTTPAdapter):
                 ctx_args['ciphers'] = openssl_conf['cipherstring']
 
             cls.ssl_context = create_urllib3_context(**ctx_args)
-            cls.ssl_context.load_verify_locations('/etc/ssl/cert.pem')
+            cls.ssl_context.load_verify_locations('/usr/local/etc/ssl/cert.pem')
             if openssl_conf['minprotocol']:
                 for item in openssl_conf['minprotocol'].split("\n"):
                     if item == 'TLSv1':