2

Has anybody else been seeing this error, when trying to upload an AMI bundle to S3?

Error talking to S3: Curl.Error(60): SSL certificate problem: self signed certificate in certificate chain

Just started happening yesterday, was working fine on Friday. There are some similar problems reported when using the PHP toolkit -

But I don't think they're exactly the same as my problem. I'm not using dots in my bucket name...

More traceback:

Created image.part.174
Created image.part.175
Generating digests for each part...
Digests generated.
Unable to read instance meta-data for ramdisk-id
Unable to read instance meta-data for product-codes
Creating bundle manifest...
ec2-bundle-vol complete.
ERROR: Error talking to S3: Curl.Error(60): SSL certificate problem: self signed certificate in certificate chain

Is there some kind of environment variable I could use to (temporarily) switch of SSL verification for curl before runnning ec2-upload-bundle maybe?

Community
  • 1
  • 1
hwjp
  • 15,359
  • 7
  • 71
  • 70
  • 1
    for now I've hacked a fix by changing line 66 of `lib/ec2/common/curl.rb` to `invocation = "curl -k -sSL #{command}"` -- adding the `-k` flag. – hwjp Nov 04 '12 at 14:42
  • hm, I wonder if it's to do with ec2-bundle-vol not transferring gpg files by default? http://mijndertstuij.nl/2012/05/aws-ec2-ubuntu-no-keyring-installed-error/ – hwjp Nov 04 '12 at 15:20
  • yes, it looks like the problem is that the machine i'm running from is from an AMI that I create using ec2-bundle-vol, which strips out all .pem and .gpg files because they're "sensitive", thus breaking SSL. – hwjp Nov 04 '12 at 15:28

1 Answers1

5

It looks like you might be running ec2-upload-bundle from an AMI that was previously packaged using ec2-bundle-vol, which strips out lots of different files on the system before creating the system image (to avoid sensitive information making it into the image). From the AWS Docs:

By default, the bundle process excludes files that might contain sensitive information. These files include *.sw, *.swo, *.swp, *.pem, *.priv,*id_rsa*,*id_dsa* `*.gpg, *.jks, */.ssh/authorized_keys, and */.bash_history. To include all of these files, use the --no-filter option. To include some of these files, use the --include option.

In this case, it looks like the root certificates database on your system got screwed up. On Ubuntu (and maybe other distributions), running this command reloads the root certificates on the system, which fixes the problem:

update-ca-certificates
ejdyksen
  • 1,489
  • 1
  • 12
  • 15
  • 1
    Spot on, thanks. To get around this, you need to add something like `--include /etc/ssl/certs` to the `ec2-bundle-vol` command. – Gray Feb 11 '15 at 22:26
  • Thanks, this fixed the problem for me. On centOS `update-ca-trust` does the job – shshnk Dec 21 '16 at 08:16