A tool I maintain had this exact problem, because it’s designed to be compiled statically and used on a fresh install of which there may or may not be useful libraries.
I’ve solved this by overriding
OpenSSL::SSL::Context::Client#ca_certificates (see here) when instantiating
tls_client = OpenSSL::SSL::Context::Client.new.tap do |client|
client.ca_certificates = "/path/to/cacert.pem"
I then point it towards a path of a downloaded cURL/Mozilla CA cert bundle (from curl - Extract CA Certs from Mozilla). You could do something similar by either shipping the CA cert bundle with your program or by shelling out to
wget or whatnot when the program launches to fetch the latest bundle if none exists (note the guidance on that page about not fetching it too frequently).
Then when you use
HTTP::Client, you just need to pass in the
HTTP::Client.get("https://example.com/robots.txt", tls: tls_client) do |response|
# Do stuff