config, backends: don't manually hunt for CA paths

sopel/config/core_section.py

@@ -1,7 +1,5 @@
 from __future__ import annotations
 
-import os.path
-
 from sopel.config.types import (
     BooleanAttribute,
     ChoiceAttribute,
@@ -23,29 +21,6 @@
 """Default URL schemes allowed for URLs."""
 
 
-def _find_certs():
-    """Find the TLS root CA store.
-
-    :returns: path to CA store file
-    :rtype: str
-    """
-    # check if the root CA store is at a known location
-    locations = [
-        '/etc/pki/tls/cert.pem',  # best first guess
-        '/etc/ssl/certs/ca-certificates.crt',  # Debian
-        '/etc/ssl/cert.pem',  # FreeBSD base OpenSSL
-        '/usr/local/openssl/cert.pem',  # FreeBSD userland OpenSSL
-        '/etc/pki/tls/certs/ca-bundle.crt',  # RHEL 6 / Fedora
-        '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',  # RHEL 7 / CentOS
-        '/etc/pki/tls/cacert.pem',  # OpenELEC
-        '/etc/ssl/ca-bundle.pem',  # OpenSUSE
-    ]
-    for certs in locations:
-        if os.path.isfile(certs):
-            return certs
-    return None
-
-
 def configure(config):
     """Interactively configure the bot's ``[core]`` config section.
 
@@ -228,17 +203,16 @@ class CoreSection(StaticSection):
 
     """
 
-    ca_certs = FilenameAttribute('ca_certs', default=_find_certs())
-    """The path to the CA certs ``.pem`` file.
+    ca_certs = FilenameAttribute('ca_certs')
+    """The path to the CA certs ``pem`` file.
 
     Example:
 
     .. code-block:: ini
 
         ca_certs = /etc/ssl/certs/ca-certificates.crt
 
-    If not specified, Sopel will try to find the certificate trust store
-    itself from a set of known locations.
+    If not specified, the system default will be used.
 
     If the given value is not an absolute path, it will be interpreted relative
     to the directory containing the config file with which Sopel was started.

sopel/irc/backends.py

@@ -269,20 +269,24 @@ def handle_connect(self):
         # the supported range should narrow sufficiently to fix these for real.
         # Each Python version still generally selects the most secure protocol
         # version(s) it supports.
+        ssl_args = {
+            "certfile": self.certfile,
+            "keyfile": self.keyfile,
+            "do_handshake_on_connect": True,
+            "suppress_ragged_eofs": True,
+        }
         if not self.verify_ssl:
-            self.ssl = ssl.wrap_socket(self.socket,  # lgtm [py/insecure-default-protocol]
-                                       certfile=self.certfile,
-                                       keyfile=self.keyfile,
-                                       do_handshake_on_connect=True,
-                                       suppress_ragged_eofs=True)
+            self.ssl = ssl.wrap_socket(  # lgtm [py/insecure-default-protocol]
+                self.socket, **ssl_args
+            )
         else:
-            self.ssl = ssl.wrap_socket(self.socket,  # lgtm [py/insecure-default-protocol]
-                                       certfile=self.certfile,
-                                       keyfile=self.keyfile,
-                                       do_handshake_on_connect=True,
-                                       suppress_ragged_eofs=True,
-                                       cert_reqs=ssl.CERT_REQUIRED,
-                                       ca_certs=self.ca_certs)
+            ssl_args["cert_reqs"] = ssl.CERT_REQUIRED
+            ssl_args["ca_certs"] = (
+                self.ca_certs or ssl.get_default_verify_paths().cafile
+            )
+            self.ssl = ssl.wrap_socket(  # lgtm [py/insecure-default-protocol]
+                self.socket, **ssl_args
+            )
             # connect to host specified in config first
             try:
                 ssl.match_hostname(self.ssl.getpeercert(), self.host)