fix: use original user's home directory for CA certificate storage

When running under sudo, the CA certificate was being stored in root's
home directory but the subprocess (running as original user) couldn't
access it, causing certificate verification errors.

Now GetConfigDir() detects sudo execution and uses the original user's
home directory, ensuring the subprocess can access the CA certificate.

Fixes: curl: (77) error setting certificate verify locations

Co-authored-by: f0ssel <[email protected]>

Author: blink-so[bot]

tls/tls.go

@@ -12,6 +12,7 @@ import (
 	"math/big"
 	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 	"sync"
 	"time"
@@ -295,9 +296,28 @@ func (cm *CertificateManager) generateServerCertificate(hostname string) (*tls.C
 
 // GetConfigDir returns the configuration directory path
 func GetConfigDir() (string, error) {
-	homeDir, err := os.UserHomeDir()
-	if err != nil {
-		return "", fmt.Errorf("failed to get user home directory: %v", err)
+	// When running under sudo, use the original user's home directory
+	// so the subprocess can access the CA certificate files
+	var homeDir string
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		// Get original user's home directory
+		if user, err := user.Lookup(sudoUser); err == nil {
+			homeDir = user.HomeDir
+		} else {
+			// Fallback to current user if lookup fails
+			var err2 error
+			homeDir, err2 = os.UserHomeDir()
+			if err2 != nil {
+				return "", fmt.Errorf("failed to get user home directory: %v", err2)
+			}
+		}
+	} else {
+		// Normal case - use current user's home
+		var err error
+		homeDir, err = os.UserHomeDir()
+		if err != nil {
+			return "", fmt.Errorf("failed to get user home directory: %v", err)
+		}
 	}
 
 	// Use platform-specific config directory