CODEWITHSUNDEEP
amazon-web-servicessslaws-lambda
Nilay Sundarkar
Nilay Sundarkar

Reputation: 401

Certificate issue on sam deploy

I am fairly new to AWS Lambda. I am playing around with a project that I am trying to deploy using the AWS SAM CLI. Below is the command I use:

sam deploy --s3-bucket com.nilay.bucket \
           --stack-name HelloWorldLambdaJava \
           --capabilities CAPABILITY_IAM

This initially failed for certificate verification issue with ssl related to cloudformation.us-east-1.amazonaws.com certificate. After some googling I circumvented this by exporting the certificate to my mac, converted it to .pem format and created a variable AWS_CA_BUNDLE. Now the deploy fails for another url (s3.amazonaws.com?) for the same certificate issue. How can I add this certificate to the certifcate bundle. It seems like the variableAWS_CA_BUNDLE` should really take a truststore as the value, but all the documentation that I see for this has a .pem file listed in it.

The sam deploy command doesn't allow --no-verify-ssl flag as the AWS CLI command does.

Upvotes: 2

Views: 5639

Answers (2)

Veljac
Veljac

Reputation: 1190

Just to explain how can you generate the required file (tipically for your corporate network).

On your PC with git installed, using git shell with command (also work from VSCode Git bash terminal). Git also installs openssl so no wories ....

in terminal (git bash) type

echo | openssl s_client -showcerts -servername s3.eu-central-1.amazonaws.com:443 -connect s3.eu-central-1.amazonaws.com:443 2>/dev/null

then grab all parts

-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

including that header and footer to have a whole certificate chain and save to ca-bundle.pem file

After that modify your aws config file

C:\Users\YOURNAME_HERE.aws\config

[default]
region = eu-central-1
output = yaml
ca_bundle = C:/aws/ca-bundle.pem

Upvotes: -1

c121hains
c121hains

Reputation: 95

I did two things:

A) The first problem was solved for me from the following link. It was an issue using PIP and accessing AWS services. SSL CERTIFICATE_VERIFY_FAILED in aws cli

Unfortunately python requests do not use any operating system's CA trust store. https://github.com/requests/requests/issues/2966 You have to set REQUESTS_CA_BUNDLE and AWS_CA_BUNDLE environment variables https://github.com/bloomreach/s4cmd/issues/111#issuecomment-406839514

I'm accessing AWS from my corporate network. I have no issues when connecting from home on my own computer.

The solution for me is to get the root certificate used when making connections and to save it locally somewhere as a .PEM file.

Then create two local environment variables and point it to the .PEM file. Run these commands to set the environment variables (or do it manually):

setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

setx REQUESTS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

B) The other thing I did was to update the Python certifi package. I then appended the cacert.pem file with the contents of the RootCert.pem that I downloaded. C:\Python\Python38\Lib\site-packages\certifi\cacert.pem

Upvotes: 1

Related Questions