The Ruby agent connects to New Relic servers over SSL by default, and ships with a default set of SSL root certificates that it uses to validate the identity of New Relic servers when connecting. In most cases, this default set of certificates is sufficient. In certain configurations, you may need to use a custom CA bundle. For example, you may use an HTTP proxy to intercept and decrypt SSL traffic from the agent, which then establishes a separate SSL connection to New Relic. Custom CA bundles are available in versions 3.9.4 or higher of the Ruby agent.
Using a custom CA bundle
You can configure the agent to use a custom CA bundle when validating the SSL certificate presented by a proxy. To do so, set the `ca_bundle_path` configuration setting in your `newrelic.yml` file or via the `NEW_RELIC_CA_BUNDLE_PATH` environment variable:
common: &default_settings ca_bundle_path: certificates/mycert.pem # ... other settings ...
Specify a path to a `.pem` file containing the certificate(s) that you would like the agent to use when validating the identity of the proxy or server. Multiple certificates may be concatenated into a single `.pem` file (for an example, see the [default pem file](https://github.com/newrelic/rpm/blob/master/cert/cacert.pem)). If you specify a relative path, the agent will assign a path relative to the working directory of your application server process at runtime. Note that in some configurations, your working directory may be `/`, rather than the root of your application in some setups. In these cases, specify an absolute path.