Windows Certificate Loading (#1460)

TimPansino · mergify[bot] · web-flow · commit 29333f8b70b6 · 2025-08-26T22:52:46.000Z
* Fix loading of certificate bundle on Windows

* Remove skip marker

---------

Co-authored-by: mergify[bot] &lt;37929162+mergify[bot]@users.noreply.github.com&gt;
diff --git a/newrelic/common/agent_http.py b/newrelic/common/agent_http.py
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import os
+import ssl
 import sys
 import time
 import zlib
@@ -258,11 +259,28 @@ def __init__(
             if not ca_bundle_path:
                 verify_path = get_default_verify_paths()
 
-                # If there is no resolved cafile, assume the bundled certs are
-                # required and report this condition as a supportability metric.
                 if not verify_path.cafile and not verify_path.capath:
-                    ca_bundle_path = certs.where()
-                    internal_metric("Supportability/Python/Certificate/BundleRequired", 1)
+                    if sys.platform != "win32":
+                        # If there is no resolved cafile on POSIX platforms, assume the bundled certs
+                        # are required and report this condition as a supportability metric.
+                        ca_bundle_path = certs.where()
+                        internal_metric("Supportability/Python/Certificate/BundleRequired", 1)
+                    else:
+                        # If there is no resolved cafile on Windows, attempt to load the default certs.
+                        try:
+                            _context = ssl.SSLContext()
+                            _context.load_default_certs()
+                            system_certs = _context.get_ca_certs()
+                        except Exception:
+                            system_certs = None
+
+                        # If we still can't find any certs after loading the default ones,
+                        # then assume the bundled certs are required. If we do find them,
+                        # we don't have to do anything. We let urllib3 handle loading the
+                        # default certs from Windows.
+                        if not system_certs:
+                            ca_bundle_path = certs.where()
+                            internal_metric("Supportability/Python/Certificate/BundleRequired", 1)
 
             if ca_bundle_path:
                 if Path(ca_bundle_path).is_dir():
diff --git a/tests/agent_unittests/test_agent_protocol.py b/tests/agent_unittests/test_agent_protocol.py
@@ -547,7 +547,12 @@ class DefaultVerifyPaths:
         def __init__(self, *args, **kwargs):
             pass
 
-    monkeypatch.setattr(ssl, "DefaultVerifyPaths", DefaultVerifyPaths)
+    def get_ca_certs(purpose=None):
+        return []
+
+    monkeypatch.setattr(ssl, "DefaultVerifyPaths", DefaultVerifyPaths)  # Bypass OpenSSL default certs
+    if sys.platform == "win32":
+        monkeypatch.setattr(ssl.SSLContext, "get_ca_certs", get_ca_certs)  # Bypass Windows default certs
 
     settings = finalize_application_settings({"ca_bundle_path": ca_bundle_path})
     protocol = AgentProtocol(settings)
diff --git a/tests/agent_unittests/test_http_client.py b/tests/agent_unittests/test_http_client.py
@@ -15,6 +15,7 @@
 import base64
 import json
 import ssl
+import sys
 import zlib
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from io import StringIO
@@ -324,9 +325,11 @@ def test_default_cert_path(monkeypatch, system_certs_available):
     if system_certs_available:
         cert_file = "foo"
         ca_path = "/usr/certs"
+        system_certs = [{"issuer": "Test CA"}]  # Poorly faked certs
     else:
         cert_file = None
         ca_path = None
+        system_certs = []
 
     class DefaultVerifyPaths:
         cafile = cert_file
@@ -335,7 +338,13 @@ class DefaultVerifyPaths:
         def __init__(self, *args, **kwargs):
             pass
 
-    monkeypatch.setattr(ssl, "DefaultVerifyPaths", DefaultVerifyPaths)
+    def get_ca_certs(purpose=None):
+        return system_certs
+
+    monkeypatch.setattr(ssl, "DefaultVerifyPaths", DefaultVerifyPaths)  # Bypass OpenSSL default certs
+    if sys.platform == "win32":
+        monkeypatch.setattr(ssl.SSLContext, "get_ca_certs", get_ca_certs)  # Bypass Windows default certs
+
     internal_metrics = CustomMetrics()
     with InternalTraceContext(internal_metrics):
         client = HttpClient("localhost", ca_bundle_path=None)
diff --git a/tests/cross_agent/conftest.py b/tests/cross_agent/conftest.py
@@ -31,4 +31,4 @@
     app_name="Python Agent Test (cross_agent_tests)", default_settings=_default_settings
 )
 
-SKIP_ON_WINDOWS = pytest.mark.xfail(sys.platform == "win32", reason="This feature is not supported on Windows")
+SKIP_ON_WINDOWS = pytest.mark.skipif(sys.platform == "win32", reason="This feature is not supported on Windows")

Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,4 @@`
`31`	`31`	`app_name="Python Agent Test (cross_agent_tests)", default_settings=_default_settings`
`32`	`32`	`)`
`33`	`33`
`34`		`-SKIP_ON_WINDOWS = pytest.mark.xfail(sys.platform == "win32", reason="This feature is not supported on Windows")`
	`34`	`+SKIP_ON_WINDOWS = pytest.mark.skipif(sys.platform == "win32", reason="This feature is not supported on Windows")`