Remove bundled root certificates

bdewater-thatch · bdewater-thatch · commit 3fc34512791b · 2026-02-12T08:37:13.000-05:00
diff --git a/README.md b/README.md
@@ -151,7 +151,7 @@ See [versioning in the API reference][versioning] for more information.
 
 ### Configuring CA Bundles
 
-By default, the library will use its own internal bundle of known CA
+By default, the library will use the system bundle of known CA
 certificates, but it's possible to configure your own:
 
 ```ruby
@@ -268,7 +268,7 @@ end
 ### How to use undocumented parameters and properties
 
 In some cases, you might encounter parameters on an API request or fields on an API response that aren’t available in the SDKs.
-This might happen when they’re undocumented or when they’re in preview and you aren’t using a preview SDK. 
+This might happen when they’re undocumented or when they’re in preview and you aren’t using a preview SDK.
 See [undocumented params and properties](https://docs.stripe.com/sdks/server-side?lang=ruby#undocumented-params-and-fields) to send those parameters or access those fields.
 
 ### Writing a Plugin
@@ -413,13 +413,6 @@ just lint
 # or: bundle exec rubocop
 ```
 
-Update bundled CA certificates from the [Mozilla cURL release][curl]:
-
-```sh
-just update-certs
-# or: bundle exec rake update_certs
-```
-
 [api-keys]: https://dashboard.stripe.com/account/apikeys
 [connect]: https://stripe.com/connect
 [curl]: http://curl.haxx.se/docs/caextract.html
diff --git a/Rakefile b/Rakefile
@@ -7,28 +7,3 @@ task default: %i[test rubocop]
 Rake::TestTask.new do |t|
   t.pattern = "./test/**/*_test.rb"
 end
-
-desc "Update bundled certs"
-task :update_certs do
-  require "net/http"
-  require "uri"
-
-  fetch_file "https://curl.se/ca/cacert.pem",
-             File.expand_path("lib/data/ca-certificates.crt", __dir__)
-end
-
-#
-# helpers
-#
-
-def fetch_file(uri, dest)
-  File.open(dest, "w") do |file|
-    resp = Net::HTTP.get_response(URI.parse(uri))
-    unless resp.code.to_i == 200
-      abort("bad response when fetching: #{uri}\n" \
-            "Status #{resp.code}: #{resp.body}")
-    end
-    file.write(resp.body)
-    puts "Successfully fetched: #{uri}"
-  end
-end
diff --git a/justfile b/justfile
@@ -25,9 +25,6 @@ lint: (format-check "--autocorrect")
 # copy of `lint` with less output
 format: (format-check "-o /dev/null --autocorrect")
 
-update-certs: install
-    bundle exec rake update_certs
-
 # run sorbet to check type definitions
 typecheck: install
     {{ if semver_matches(`ruby -e "puts RUBY_VERSION"`, ">=2.7") == "true" { \
diff --git a/lib/data/ca-certificates.crt b/lib/data/ca-certificates.crt
diff --git a/lib/stripe.rb b/lib/stripe.rb
@@ -66,8 +66,6 @@
 require "stripe/services/oauth_service"
 
 module Stripe
-  DEFAULT_CA_BUNDLE_PATH = __dir__ + "/data/ca-certificates.crt"
-
   # map to the same values as the standard library's logger
   LEVEL_DEBUG = Logger::DEBUG
   LEVEL_ERROR = Logger::ERROR
diff --git a/lib/stripe/stripe_configuration.rb b/lib/stripe/stripe_configuration.rb
@@ -5,7 +5,7 @@ module Stripe
   #
   # =ca_bundle_path=
   # The location of a file containing a bundle of CA certificates. By default
-  # the library will use an included bundle that can successfully validate
+  # the library will use the system bundle that can successfully validate
   # Stripe certificates.
   #
   # =log_level=
@@ -66,7 +66,7 @@ def reverse_duplicate_merge(hash)
 
     def initialize
       @api_version = ApiVersion::CURRENT
-      @ca_bundle_path = Stripe::DEFAULT_CA_BUNDLE_PATH
+      @ca_bundle_path = nil
       @enable_telemetry = true
       @verify_ssl_certs = true
 
@@ -190,7 +190,11 @@ def ca_bundle_path=(path)
     def ca_store
       @ca_store ||= begin
         store = OpenSSL::X509::Store.new
-        store.add_file(ca_bundle_path)
+        if ca_bundle_path.nil?
+          store.set_default_paths
+        else
+          store.add_file(ca_bundle_path)
+        end
         store
       end
     end
diff --git a/test/stripe/stripe_configuration_test.rb b/test/stripe/stripe_configuration_test.rb
@@ -8,7 +8,7 @@ class StripeConfigurationTest < Test::Unit::TestCase
       should "initialize a new configuration with defaults" do
         config = Stripe::StripeConfiguration.setup
 
-        assert_equal Stripe::DEFAULT_CA_BUNDLE_PATH, config.ca_bundle_path
+        assert_nil config.ca_bundle_path
         assert_equal true, config.enable_telemetry
         assert_equal true, config.verify_ssl_certs
         assert_equal 5, config.max_network_retry_delay
@@ -137,7 +137,7 @@ class StripeConfigurationTest < Test::Unit::TestCase
         assert_equal("client_uploads_base.stripe.com", client_config.base_addresses[:files]) # client uploads base
         assert_equal(Stripe::DEFAULT_API_BASE, client_config.base_addresses[:api]) # default api base
         assert_equal(ApiVersion::CURRENT, client_config.api_version) # default api version
-        assert_equal(Stripe::DEFAULT_CA_BUNDLE_PATH, client_config.ca_bundle_path) # default ca bundle path
+        assert_nil client_config.ca_bundle_path # default ca bundle path
       end
     end
 
