From 16610ce35151406165d52d9726c75fa30c065824 Mon Sep 17 00:00:00 2001
From: tomas-quix <78492422+tomas-quix@users.noreply.github.com>
Date: Thu, 24 Apr 2025 18:03:46 +0200
Subject: [PATCH] fix(outputs.quix): Allow empty certificate for new cloud
 managed instances (#16857)

---
 plugins/outputs/quix/quix.go | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/plugins/outputs/quix/quix.go b/plugins/outputs/quix/quix.go
index ddfc402e4..6b6807074 100644
--- a/plugins/outputs/quix/quix.go
+++ b/plugins/outputs/quix/quix.go
@@ -109,13 +109,17 @@ func (q *Quix) Connect() error {
 			return fmt.Errorf("unsupported SASL mechanism: %s", quixConfig.SaslMechanism)
 		}
 
-		// Certificate
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(quixConfig.cert) {
-			return errors.New("appending CA cert to pool failed")
-		}
 		cfg.Net.TLS.Enable = true
-		cfg.Net.TLS.Config = &tls.Config{RootCAs: certPool}
+
+		// Add the CA certificate sent by the server if there is any. Newer cloud
+		// instances do not need this and we can go with the system certificates.
+		if len(quixConfig.cert) > 0 {
+			certPool := x509.NewCertPool()
+			if !certPool.AppendCertsFromPEM(quixConfig.cert) {
+				return errors.New("appending CA cert to pool failed")
+			}
+			cfg.Net.TLS.Config = &tls.Config{RootCAs: certPool}
+		}
 	case "PLAINTEXT":
 		// No additional configuration required for plaintext communication
 	default: