2

I am fairly new to AWS Lambda. I am playing around with a project that I am trying to deploy using the AWS SAM CLI. Below is the command I use:

sam deploy --s3-bucket com.nilay.bucket \
           --stack-name HelloWorldLambdaJava \
           --capabilities CAPABILITY_IAM

This initially failed for certificate verification issue with ssl related to cloudformation.us-east-1.amazonaws.com certificate. After some googling I circumvented this by exporting the certificate to my mac, converted it to .pem format and created a variable AWS_CA_BUNDLE. Now the deploy fails for another url (s3.amazonaws.com?) for the same certificate issue. How can I add this certificate to the certifcate bundle. It seems like the variableAWS_CA_BUNDLE` should really take a truststore as the value, but all the documentation that I see for this has a .pem file listed in it.

The sam deploy command doesn't allow --no-verify-ssl flag as the AWS CLI command does.

Dunedan
  • 7,848
  • 6
  • 42
  • 52
Nilay Sundarkar
  • 381
  • 4
  • 15
  • on further investigation, I think this is not the cert verify issue. I added the certs to my system keychain and that works. The error i see is - Error: Unable to upload artifact target/lambda.jar referenced by CodeUri parameter of HelloWorldLambda resource. SSL validation failed for https://s3.amazonaws.com/com.nilay.bucket/ae9b989e6c7d9e3ac87aa5a397361557 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076) – Nilay Sundarkar Apr 10 '20 at 21:02
  • How did you install the AWS SAM CLI? Which version did you install? – Dunedan Apr 11 '20 at 11:33
  • I used homebrew to install sam cli. It seems this is an issue with my office laptop/network policy. I tried the same steps on my personal laptop and things are working. Also for the above error, a lot of articles point towards running the Install Certificates.command Python command on mac. I was not able to find that on my office laptop. – Nilay Sundarkar Apr 11 '20 at 17:36
  • i am getting this exact same issue. i don't think running the Install Certificates.command will work because i tried it and also it is for Python packages. However, if you want to try it you can find in `/Applications/Python3.8` folder. Run it by `./Install Certificates.command`. Please comment below if you already found a fix for this. – erathina Apr 20 '20 at 04:26
  • I did not find a solution to it. However the setup worked just fine on my personal laptop, so I assumed it was something to do with my work laptop's security settings and vpn firewalls. – Nilay Sundarkar Apr 20 '20 at 23:21
  • @nilay-sundarkar Have you solved this problem? – mikezang Sep 14 '20 at 01:40

2 Answers2

1

I did two things:

A) The first problem was solved for me from the following link. It was an issue using PIP and accessing AWS services. SSL CERTIFICATE_VERIFY_FAILED in aws cli

Unfortunately python requests do not use any operating system's CA trust store. https://github.com/requests/requests/issues/2966 You have to set REQUESTS_CA_BUNDLE and AWS_CA_BUNDLE environment variables https://github.com/bloomreach/s4cmd/issues/111#issuecomment-406839514

I'm accessing AWS from my corporate network. I have no issues when connecting from home on my own computer.

The solution for me is to get the root certificate used when making connections and to save it locally somewhere as a .PEM file.

Then create two local environment variables and point it to the .PEM file. Run these commands to set the environment variables (or do it manually):

setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

setx REQUESTS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

B) The other thing I did was to update the Python certifi package. I then appended the cacert.pem file with the contents of the RootCert.pem that I downloaded. C:\Python\Python38\Lib\site-packages\certifi\cacert.pem

c121hains
  • 95
  • 1
  • 6
0

Just to explain how can you generate the required file (tipically for your corporate network).

On your PC with git installed, using git shell with command (also work from VSCode Git bash terminal). Git also installs openssl so no wories ....

in terminal (git bash) type

echo | openssl s_client -showcerts -servername s3.eu-central-1.amazonaws.com:443 -connect s3.eu-central-1.amazonaws.com:443 2>/dev/null

then grab all parts

-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

including that header and footer to have a whole certificate chain and save to ca-bundle.pem file

After that modify your aws config file

C:\Users\YOURNAME_HERE.aws\config

[default]
region = eu-central-1
output = yaml
ca_bundle = C:/aws/ca-bundle.pem
Veljac
  • 1,144
  • 2
  • 7
  • 8