fix: use original user's home directory for CA certificate storage

When running under sudo, the CA certificate was being stored in root's
home directory (/root/.config/boundary/) but the subprocess running as
the original user couldn't access it, causing certificate verification
errors.

Now GetConfigDir() detects sudo execution and uses the original user's
home directory, so the CA certificate is stored in a location accessible
to the subprocess.

Fixes curl errors like:
'error setting certificate verify locations: CAfile: /Users/user/.config/boundary/ca-cert.pem'

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

tls/tls.go

@@ -12,6 +12,7 @@ import (
 	"math/big"
 	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 	"sync"
 	"time"
@@ -295,9 +296,28 @@ func (cm *CertificateManager) generateServerCertificate(hostname string) (*tls.C
 
 // GetConfigDir returns the configuration directory path
 func GetConfigDir() (string, error) {
-	homeDir, err := os.UserHomeDir()
-	if err != nil {
-		return "", fmt.Errorf("failed to get user home directory: %v", err)
+	// When running under sudo, use the original user's home directory
+	// so the subprocess can access the CA certificate files
+	var homeDir string
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		// Get original user's home directory
+		if user, err := user.Lookup(sudoUser); err == nil {
+			homeDir = user.HomeDir
+		} else {
+			// Fallback to current user if lookup fails
+			var err2 error
+			homeDir, err2 = os.UserHomeDir()
+			if err2 != nil {
+				return "", fmt.Errorf("failed to get user home directory: %v", err2)
+			}
+		}
+	} else {
+		// Normal case - use current user's home
+		var err error
+		homeDir, err = os.UserHomeDir()
+		if err != nil {
+			return "", fmt.Errorf("failed to get user home directory: %v", err)
+		}
 	}
 
 	// Use platform-specific config directory