reference/ca-certificates: Update Nextclade section with its new conf…

…igurability Not having to say here, "There's nothing you can do", was the driving reason for me adding said configurability to Nextclade in the first place! Related-to: <nextstrain/nextclade#1536>
nextstrain · Oct 21, 2024 · 08d630e · 08d630e
1 parent 3d95aff
commit 08d630e
Showing 1 changed file with 24 additions and 8 deletions.
diff --git a/src/reference/ca-certificates.rst b/src/reference/ca-certificates.rst
@@ -157,23 +157,39 @@ Set the |REQUESTS_CA_BUNDLE|_ environment variable to override.
 Nextclade CLI
 -------------
 
-*Applies to Nextclade v3.*
+.. XXX FIXME version ↓
 
-Uses its own bundled snapshot of `Mozilla's CA trust store`_ via the
-|webpki-roots|_ Rust crate (by way of the ``reqwest`` crate's
-|rustls-tls-webpki-roots feature|_).
+*Applies to Nextclade v3.x.y (3.9.0???) and onwards.*
 
-There is currently no way to configure or modify the trust store without
-modifying the Nextclade source code.
+Uses CA certificates extracted from the OS-level trust store via the
+|rustls-native-certs|_ Rust crate plus its own bundled snapshot of `Mozilla's
+CA trust store`_ via the |webpki-roots|_ Rust crate (by way of the ``reqwest``
+crate's |rustls-tls-webpki-roots feature|_).
 
-.. I have a fix in-flight for ↑ that. —trs, 10 Oct 2024
+Set the OpenSSL-style ``SSL_CERT_FILE`` or ``SSL_CERT_DIR`` environment
+variables to override the OS-level trust store (on all platforms, not just
+those using :ref:`OpenSSL <openssl>`).  The bundled trust store is always
+included and cannot be overridden or disabled.
+
+Set the |NEXTCLADE_EXTRA_CA_CERTS|_ environment variable to add CA
+certificates to the default trust store.
+
+.. note:: Nextclade v3.8.2 and earlier provides no way to configure or modify
+   the trust store.
+
+.. |rustls-native-certs| replace:: ``rustls-native-certs``
+.. _rustls-native-certs: https://docs.rs/crate/rustls-native-certs/0.8.0
 
 .. |webpki-roots| replace:: ``webpki-roots``
-.. _webpki-roots: https://docs.rs/webpki-roots/0.26.6/webpki_roots/
+.. _webpki-roots: https://docs.rs/crate/webpki-roots/0.26.6
 
 .. |rustls-tls-webpki-roots feature| replace:: ``rustls-tls-webpki-roots`` feature
 .. _rustls-tls-webpki-roots feature: https://docs.rs/reqwest/0.12.8/reqwest/#optional-features
 
+.. |NEXTCLADE_EXTRA_CA_CERTS| replace:: ``NEXTCLADE_EXTRA_CA_CERTS``
+.. _NEXTCLADE_EXTRA_CA_CERTS: https://docs.nextstrain.org/projects/nextclade/en/3.x.y/user/nextclade-cli/reference.html?highlight=NEXTCLADE_EXTRA_CA_CERTS#nextclade-dataset-get
+
+.. XXX FIXME version ↑
 
 
 .. _aws-cli: