Update the Sectigo / USERTrust CA Certificate

[sodabrew]

This same cert is also found in the embedded/ssl/certs.pem bundle in the dd-agent package. Resolves #3881. See also Twitter:

The prior certificate expired today, May 30, 2020, and is replaced per this FAQ
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Note: Please remember to review the Datadog Contribution Guidelines
if you have not yet done so.

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

• Pager storm at 4AM US/Pacific time isn't awesome.

Testing Guidelines

• My production systems started sending data again.
• Negative test: other public CA certs in this file result in SSL verification failure.
• Matches the cert shown as per this screenshot

Additional Notes

• Set up an SSL Check alert in Datadog to let Datadog know when the Datadog certs change.

• Example log line

2020-05-30 13:04:03 UTC | WARNING | dd.forwarder | tornado.general(iostream.py:845) | SSL Error on 10 ('34.194.202.244', 443): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
2020-05-30 13:04:03 UTC | ERROR | dd.forwarder | forwarder(ddagent.py:282) | Response: HTTPResponse(_body=None,buffer=None,code=599,effective_url='https://5-32-6-app.agent.datadoghq.com/intake/?api_key=*************************',error=HTTPError('HTTP 599: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)',),headers={},reason='Unknown',request=<tornado.httpclient.HTTPRequest object at 0x7efe28dd8f10>,request_time=0.1526319980621338,time_info={})

[nalundgaard]

@truthbk Thanks for merging this; I see that it looks like 5.32.7 has been issued with this patch; do you know when this will be available in your yum repo? I'm trying to gauge if it's appropriate to wait and update our 5.x agents via yum or pursue patching this PEM file on our 5.32.6 agents.

[truthbk]

@nalundgaard we're trying to get this fix out as soon as possible. It should be available later today barring any unforeseen issues.

Workarounds for those in need of an urgent fix before 5.32.7 is out:

• delete /opt/datadog-agent/agent/datadog-cert.pem and restart the agent, the agent would then rely on OS-provided certificates.
• manually copy the file provided in this patch and replace /opt/datadog-agent/agent/datadog-cert.pem and restart the agent.

[zts]

@truthbk May I gently suggest that the status page be updated to point to those workarounds?

[irabinovitch]

@zts Thank you for the feedback. We are working on adding these details to the status page as well.