Remove mozilla ca submodule and subsume this functionality (#19850)

<!-- Merging Requirements:
- Please give your PR a title that is release-note friendly
- In order to be merged, you must add the most appropriate category
Label (Added, Changed, Fixed) to your PR
-->
<!-- Explain why this is an improvement (Does this add missing
functionality, improve performance, or reduce complexity?) -->

### Purpose:

<!-- Does this PR introduce a breaking change? -->

### Current Behavior:

### New Behavior:

<!-- As we aim for complete code coverage, please include details
regarding unit, and regression tests -->

### Testing Notes:

<!-- Attach any visual examples, or supporting evidence (attach any
.gif/video/console output below) -->

Author: richardkiss

.github/workflows/mozilla-ca-cert.yml

@@ -0,0 +1,41 @@
+name: Update Mozilla cert.pem Nightly
+
+on:
+  schedule:
+    - cron: "0 11 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}
+  cancel-in-progress: true
+
+jobs:
+  update_cert:
+    name: Update Mozilla cert.pem Nightly
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download latest Mozilla CA cert.pem
+        run: |
+          curl --silent --show-error --location https://curl.se/ca/cacert.pem -o chia/ssl/cacert.pem
+
+      - name: Set up commit signing
+        uses: Chia-Network/actions/commit-sign/gpg@main
+        with:
+          gpg_private_key: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_KEY }}
+          passphrase: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_PASSPHRASE }}
+
+      - name: Create Pull Request if cacert.pem changed
+        uses: peter-evans/create-pull-request@v6
+        with:
+          commit-message: "Update cacert.pem from Mozilla CA bundle"
+          title: "Update cacert.pem from Mozilla CA bundle"
+          body: "Automated update of cacert.pem from https://curl.se/ca/cacert.pem."
+          branch: update-cacert-pem
+          add-paths: chia/ssl/cacert.pem

.github/workflows/update-mozilla-ca-cert.yaml

@@ -2,7 +2,3 @@
 	path = chia-blockchain-gui
 	url = https://github.com/Chia-Network/chia-blockchain-gui.git
 	branch = main
-[submodule "mozilla-ca"]
-	path = mozilla-ca
-	url = https://github.com/Chia-Network/mozilla-ca.git
-        branch = main

.gitmodules

@@ -37,8 +37,6 @@ if ($null -eq (Get-Command git -ErrorAction SilentlyContinue))
     Exit 1
 }
 
-git submodule update --init mozilla-ca
-
 if ($null -eq (Get-Command py -ErrorAction SilentlyContinue))
 {
     Write-Output "Unable to find py"

Install.ps1

@@ -123,7 +123,6 @@ datas.append((f"{ROOT}/chia/util/initial-config.yaml", "chia/util"))
 for path in sorted({path.parent for path in ROOT.joinpath("chia").rglob("*.hex")}):
     datas.append((f"{path}/*.hex", path.relative_to(ROOT)))
 datas.append((f"{ROOT}/chia/ssl/*", "chia/ssl"))
-datas.append((f"{ROOT}/mozilla-ca/*", "mozilla-ca"))
 datas.extend(version_data)
 
 pathex = []

build_scripts/pyinstaller.spec

@@ -36,7 +36,7 @@ def get_chia_ca_crt_key() -> tuple[Any, Any]:
 
 
 def get_mozilla_ca_crt() -> str:
-    mozilla_path = Path(__file__).parent.parent.parent.absolute() / "mozilla-ca/cacert.pem"
+    mozilla_path = Path(__file__).parent.absolute() / "cacert.pem"
     return str(mozilla_path)
 
 

chia/ssl/cacert.pem

@@ -57,8 +57,6 @@ if [ "$(uname -m)" = "armv7l" ]; then
   echo "Exiting."
   exit 1
 fi
-# Get submodules
-git submodule update --init mozilla-ca
 
 # You can specify preferred python version by exporting `INSTALL_PYTHON_VERSION`
 # e.g. `export INSTALL_PYTHON_VERSION=3.9`

chia/ssl/create_ssl.py

@@ -13,7 +13,7 @@ homepage = "https://chia.net/"
 
 [tool.poetry]
 # see [tool.poetry-dynamic-versioning]
-packages = [{ include = "chia"}, { include = "mozilla-ca/cacert.pem" }]
+packages = [{ include = "chia"}]
 version = "0.0.0"
 
 [project.scripts]