Setup default certificates path (#13941)

* setup default certificates path

* change logic

* change default in stream.conf

3 files changed, 22 insertions, 30 deletions

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 490d8727e2..f7b44049ba 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -357,31 +357,22 @@ int security_test_certificate(SSL *ssl) {
  * @return It returns 0 on success and -1 otherwise.
  */
 int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) {
-    struct stat statbuf;
-    if (stat(file, &statbuf)) {
-        info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
-        return 0;
-    }
-
-    ERR_clear_error();
-    u_long err;
-    char buf[256];
-    if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
-        goto slfc;
+    int load_custom = 1, load_default = 1;
+    if (file || path) {
+        if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
+            info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
+            load_custom = 0;
+        }
     }
 
     if(!SSL_CTX_set_default_verify_paths(ctx)) {
-        goto slfc;
+        info("Can not verify default OpenSSL configuration to validate certificates!");
+        load_default = 0;
     }
 
-    return 0;
+    if (load_custom  == 0 && load_default == 0)
+        return -1;
 
-slfc:
-    while ((err = ERR_get_error()) != 0) {
-        ERR_error_string_n(err, buf, sizeof(buf));
-        error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf);
-    }
-    return -1;
+    return 0;
 }
-
 #endif
diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c
index b015985e6a..5764f64899 100644
--- a/streaming/rrdpush.c
+++ b/streaming/rrdpush.c
@@ -140,8 +140,8 @@ int rrdpush_init() {
         }
     }
 
-    netdata_ssl_ca_path = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CApath", "/etc/ssl/certs/");
-    netdata_ssl_ca_file = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CAfile", "/etc/ssl/certs/certs.pem");
+    netdata_ssl_ca_path = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CApath", NULL);
+    netdata_ssl_ca_file = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CAfile", NULL);
 #endif
 
     return default_rrdpush_enabled;
diff --git a/streaming/stream.conf b/streaming/stream.conf
index cfaf7ebe7b..cbaab1919e 100644
--- a/streaming/stream.conf
+++ b/streaming/stream.conf
@@ -40,17 +40,18 @@
     #ssl skip certificate verification = yes
 
     # Certificate Authority Path
-    # OpenSSL has a default directory where the known certificates are stored,
-    # case it is necessary it is possible to change this rule using the variable
-    # "CApath"
-    #CApath = /etc/ssl/certs/
+    # OpenSSL has a default directory where the known certificates are stored.
+    # In case it is necessary, it is possible to change this rule using the variable
+    # "CApath", e.g. CApath = /etc/ssl/certs/
+    #
+    #CApath =
 
     # Certificate Authority file
-    # When the Netdata parent has certificate, that is not recognized as valid,
-    # we can add this certificate in the list of known certificates in CApath
-    # and give for Netdata as argument.
+    # When the Netdata parent has a certificate that is not recognized as valid,
+    # we can add it to the list of known certificates in "CApath" and give it to
+    # Netdata as an argument, e.g. CAfile = /etc/ssl/certs/cert.pem
     #
-    #CAfile = /etc/ssl/certs/cert.pem
+    #CAfile =
 
     # The API_KEY to use (as the sender)
     api key =