crypto/x509: support RHEL 7 cert bundle

RHEL 7 introduces a new tool, update-ca-trust(8), which places the
certificate bundle in a new location. Add this path to the list of
locations that are searched for the certificate bundle.

Fixes #15749

Change-Id: Idc97f885ee48ef085f1eb4dacbd1c2cf55f94ff5
Reviewed-on: https://go-review.googlesource.com/30375
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/crypto/x509/root_linux.go b/src/crypto/x509/root_linux.go
index cfeca6958ca0c31865b70c36f6ee93f6d3898271..38dd72d3ed66623a82226197c00ca18b80eeeffd 100644 (file)
--- a/src/crypto/x509/root_linux.go
+++ b/src/crypto/x509/root_linux.go
@@ -6,8 +6,9 @@ package x509
 
 // Possible certificate files; stop after finding one.
 var certFiles = []string{
-       "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
-       "/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
-       "/etc/ssl/ca-bundle.pem",             // OpenSUSE
-       "/etc/pki/tls/cacert.pem",            // OpenELEC
+       "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
+       "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+       "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
+       "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
+       "/etc/pki/tls/cacert.pem",                           // OpenELEC
 }