fix: use system CA store for ureq TLS to verify Cloudflare-issued certs

2026-03-18 14:10:28 +04:00 · 2026-03-18 14:10:28 +04:00 · 6882162d7f
parent 1b8cbc6e23
commit 6882162d7f
1 changed files with 15 additions and 1 deletions
--- a/apps/monitor/src/runner.rs
+++ b/apps/monitor/src/runner.rs
@ -200,11 +200,25 @@ fn run_check_blocking(
    body: Option<&str>,
    timeout: std::time::Duration,
 ) -> Result<(u16, HashMap<String, String>, String), String> {
+    // Load system CA certs so we can verify chains from Cloudflare and other
+    // CAs not included in the bundled webpki-roots.
+    let root_certs: Vec<ureq::tls::Certificate<'static>> =
+        rustls_native_certs::load_native_certs()
+            .certs
+            .into_iter()
+            .map(|c| ureq::tls::Certificate::from_der(c.as_ref()).to_owned())
+            .collect();
+
+    let tls = ureq::tls::TlsConfig::builder()
+        .root_certs(ureq::tls::RootCerts::Specific(Arc::new(root_certs)))
+        .build();
+
    let agent = ureq::Agent::config_builder()
        .timeout_global(Some(timeout))
        .timeout_connect(Some(timeout))
-        .http_status_as_error(false) // handle 4xx/5xx as Ok so we can evaluate queries
+        .http_status_as_error(false)
        .user_agent("PingQL-Monitor/0.1")
+        .tls_config(tls)
        .build()
        .new_agent();