reworkd · awtkns · Jul 22, 2023 · Jul 22, 2023 · Jul 22, 2023 · Jul 22, 2023
diff --git a/platform/reworkd_platform/db/utils.py b/platform/reworkd_platform/db/utils.py
@@ -1,8 +1,9 @@
-import ssl
+from ssl import CERT_REQUIRED
 
 from sqlalchemy import text
 from sqlalchemy.ext.asyncio import AsyncEngine, create_async_engine
 
+from reworkd_platform.services.ssl import get_ssl_context
 from reworkd_platform.settings import settings
 
 
@@ -18,8 +19,8 @@ def create_engine() -> AsyncEngine:
             echo=settings.db_echo,
         )
 
-    ssl_context = ssl.create_default_context(cafile=settings.db_ca_path)
-    ssl_context.verify_mode = ssl.CERT_REQUIRED
+    ssl_context = get_ssl_context(settings)
+    ssl_context.verify_mode = CERT_REQUIRED
     connect_args = {"ssl": ssl_context}
 
     return create_async_engine(

diff --git a/platform/reworkd_platform/services/kafka/consumers/base.py b/platform/reworkd_platform/services/kafka/consumers/base.py
@@ -1,12 +1,12 @@
 import asyncio
 import json
-import ssl
 from abc import ABC, abstractmethod
 from typing import Any, Protocol
 
 from aiokafka import AIOKafkaConsumer, ConsumerRecord
 from loguru import logger
 
+from reworkd_platform.services.ssl import get_ssl_context
 from reworkd_platform.settings import Settings
 
 
@@ -38,7 +38,7 @@ def __init__(
             security_protocol="SASL_SSL",
             sasl_plain_username=settings.kafka_username,
             sasl_plain_password=settings.kafka_password,
-            ssl_context=ssl.create_default_context(cafile=settings.db_ca_path),
+            ssl_context=get_ssl_context(settings),
             enable_auto_commit=True,
             auto_offset_reset="earliest",
             value_deserializer=deserializer.deserialize,

diff --git a/platform/reworkd_platform/services/kafka/producers/base.py b/platform/reworkd_platform/services/kafka/producers/base.py
@@ -1,10 +1,10 @@
-from ssl import create_default_context
 from typing import Literal
 
 from aiokafka import AIOKafkaProducer
 from loguru import logger
 from pydantic import BaseModel
 
+from reworkd_platform.services.ssl import get_ssl_context
 from reworkd_platform.settings import Settings
 
 TOPICS = Literal["workflow_task"]
@@ -19,7 +19,7 @@ def __init__(self, settings: Settings):
             security_protocol="SASL_SSL",
             sasl_plain_username=settings.kafka_username,
             sasl_plain_password=settings.kafka_password,
-            ssl_context=create_default_context(cafile=settings.db_ca_path),
+            ssl_context=get_ssl_context(settings),
         )
 
         self._headers = (

diff --git a/platform/reworkd_platform/services/ssl.py b/platform/reworkd_platform/services/ssl.py
@@ -0,0 +1,19 @@
+from ssl import create_default_context, SSLContext
+
+from reworkd_platform.settings import Settings
+
+MACOS_CERT_PATH = "/etc/ssl/cert.pem"
+DOCKER_CERT_PATH = "/etc/ssl/certs/ca-certificates.crt"
+
+
+def get_ssl_context(settings: Settings) -> SSLContext:
+    if settings.db_ca_path:
+        return create_default_context(cafile=settings.db_ca_path)
+
+    for path in (MACOS_CERT_PATH, DOCKER_CERT_PATH):
+        try:
+            return create_default_context(cafile=path)
+        except FileNotFoundError:
+            continue
+
+    raise FileNotFoundError("No CA certificates found for your OS.")
diff --git a/platform/reworkd_platform/settings.py b/platform/reworkd_platform/settings.py
@@ -72,7 +72,7 @@ class Settings(BaseSettings):
     db_pass: str = "reworkd_platform"
     db_base: str = "reworkd_platform"
     db_echo: bool = False
-    db_ca_path: str = "/etc/ssl/cert.pem"
+    db_ca_path: Optional[str] = None
 
     # Variables for Weaviate db.
     vector_db_url: Optional[str] = None