Load CA certs if SSL is enabled and CA certs are not passed in (#10377)

* added logic to load CA bundle only if ssl is required * clean up logic to load certifi CA certs incase SSL is needed and no CA certs are passed in * Fixed typo * slight change in logic for clean up * clean up logic
DataDog · Oct 14, 2021 · 8ed69d9 · 8ed69d9
1 parent cad8790
commit 8ed69d9
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/mongo/datadog_checks/mongo/config.py b/mongo/datadog_checks/mongo/config.py
@@ -1,3 +1,5 @@
+import certifi
+
 from datadog_checks.base import ConfigurationError, is_affirmative
 from datadog_checks.base.utils.common import exclude_undefined_keys
 from datadog_checks.mongo.common import DEFAULT_TIMEOUT
@@ -9,13 +11,20 @@ def __init__(self, instance, log):
         self.log = log
 
         # x.509 authentication
+
+        cacert_cert_dir = instance.get('ssl_ca_certs')
+        if cacert_cert_dir is None and (
+            is_affirmative(instance.get('options', {}).get("ssl")) or is_affirmative(instance.get('ssl'))
+        ):
+            cacert_cert_dir = certifi.where()
+
         self.ssl_params = exclude_undefined_keys(
             {
                 'ssl': instance.get('ssl', None),
                 'ssl_keyfile': instance.get('ssl_keyfile', None),
                 'ssl_certfile': instance.get('ssl_certfile', None),
                 'ssl_cert_reqs': instance.get('ssl_cert_reqs', None),
-                'ssl_ca_certs': instance.get('ssl_ca_certs', None),
+                'ssl_ca_certs': cacert_cert_dir,
             }
         )