staging: fix new relic ssl cert errors

[cantsin]

Description

As part of our deployment process, we record the deploy for New Relic:

# Record deployment using the New Relic Python Admin CLI
newrelic-admin record-deploy "${NEW_RELIC_CONFIG_FILE}" "${DEPLOYMENT_DESCRIPTION}"

Unfortunately, it looks like we're getting SSL errors when we use the built-in New Relic certificate located at /home/vcap/deps/0/python/lib/python3.10/site-packages/newrelic/common/cacert.pem. I am not sure why this is happening now, but it might be related to New Relic endpoints changing to different IP addresses. Plus, we're already at the latest New Relic version, as far as i can tell. (Although 8.10.1 just came out two days ago). This SSL error blocks staging from deploying.

Anyway, we can work around this by setting the NEW_RELIC_CA_BUNDLE_PATH (documentation) to the cloud.gov certificates and this seems to work.

To replicate the error, cf ssh staging and run:

newrelic-admin record-deploy newrelic.ini "testing"

This will fail with: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

To confirm the fix works:

NEW_RELIC_CA_BUNDLE_PATH=/etc/ssl/certs/ newrelic-admin record-deploy newrelic.ini "testing"

[codecov-commenter]

Codecov Report

Merging #1661 (53c0635) into main (ec76c42) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1661   +/-   ##
=======================================
  Coverage   94.17%   94.17%           
=======================================
  Files          66       66           
  Lines        4158     4158           
=======================================
  Hits         3916     3916           
  Misses        242      242           

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more