curl with our custom ca cert

this is because s6-tlsclient refused to connect with
 Not a CA, or path length constraint violation. (BR_ERR_X509_NOT_CA)
error

README.md

@@ -36,7 +36,7 @@ chmod 0700 psk
 
 # create CA key and cert used for signing
 openssl genrsa -out ca.key 4096
-CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
+CN=CA openssl req -config openssl.cnf -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
 
 # create key for the server and sign it with the CA
 CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
@@ -48,7 +48,7 @@ CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client
 # build and start the server
 nix-build && result/bin/certifix  --challenge-password psk  --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613
 # send it
-curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
+curl --cacert ca.crt   -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
 ```
 
 ## Reasons this is not secure

main.fnl

@@ -94,7 +94,7 @@
     (crt:toPEM)))
 
 (fn approve-request? [csr]
-  (let [{ : challengePassword } (csr:getAttributes)]
+  (let [challengePassword (csr:getAttribute :challengePassword)]
     (when challengePassword
       (accumulate [found false
                    _ v (ipairs challengePassword)]

package.nix

@@ -13,7 +13,7 @@ let
     patches = [
       (fetchpatch {
         url = "https://patch-diff.githubusercontent.com/raw/wahern/luaossl/pull/218.patch";
-        hash = "sha256-0+5OR9t7nw8lPi7jcM/RwI8Qt8HeXwU1jvl+f+B5V38=";
+        hash = "sha256-2GOliY4/RUzOgx3rqee3X3szCdUVxYDut7d+XFcUTJw=";
       })
     ] ++ lib.optionals (o ? patches) o.patches;
   });