AWS/CLI: Difference between revisions
< AWS
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 12: | Line 12: | ||
# /usr/local/bin/aws --version | # /usr/local/bin/aws --version | ||
aws-cli/2.16.0 Python/3.11.8 Linux/5.8.0-40-generic exe/x86_64.ubuntu.20 | aws-cli/2.16.0 Python/3.11.8 Linux/5.8.0-40-generic exe/x86_64.ubuntu.20 | ||
Mytest: | |||
aws s3 cp --no-sign-request s3://kaws/test.txt ./ | |||
== Use System SSL Certificate Bundle == | |||
Error: | |||
$ aws s3 cp --no-sign-request --recursive s3://kaws/test.txt . | |||
fatal error: SSL validation failed for https://kaws.s3.amazonaws.com/?list-type=2&prefix=test.txt%2F&encoding-type=url [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1006) | |||
Cause: | |||
* Your firewall probably uses a decryption SSL certificate, and the AWS tools use an embeded copy of the SSL certificates. | |||
Solution options: | |||
My preference is option #3 - config file! | |||
Option 1. AWS_CA_BUNDLE | |||
# Debian: | |||
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt | |||
# RedHat: | |||
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt | |||
-- | |||
Option 2. REQUESTS_CA_BUNDLE | |||
# Debian: | |||
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt | |||
# RedHat: | |||
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt | |||
note: this is basically the same as option #1, but relies on the implementation. If they ever change that implementation this will break. Option #1 is better. | |||
-- | |||
Option 3. config file - MY PREFERENCE | |||
<pre> | |||
# cat > ~/.aws/config | |||
[default] | |||
ca_bundle = /etc/ssl/certs/ca-certificates.crt | |||
</pre> | |||
note: adjust cert file for debian/redhat | |||
-- | |||
Option 4. add/replace cert to their embedded cert bundle. (not recommended option) | |||
# replace their ca-certificate bundle with copy of system ca-certificate bundle | |||
cp /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore.bak | |||
cat /etc/ssl/certs/ca-certificates.crt > /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore/cacert.pem | |||
note: adjust cert file for debian/redhat |
Latest revision as of 16:29, 4 June 2024
Install
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install
ref: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#cliv2-linux-install
# sudo ./aws/install You can now run: /usr/local/bin/aws --version
# /usr/local/bin/aws --version aws-cli/2.16.0 Python/3.11.8 Linux/5.8.0-40-generic exe/x86_64.ubuntu.20
Mytest:
aws s3 cp --no-sign-request s3://kaws/test.txt ./
Use System SSL Certificate Bundle
Error:
$ aws s3 cp --no-sign-request --recursive s3://kaws/test.txt . fatal error: SSL validation failed for https://kaws.s3.amazonaws.com/?list-type=2&prefix=test.txt%2F&encoding-type=url [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1006)
Cause:
- Your firewall probably uses a decryption SSL certificate, and the AWS tools use an embeded copy of the SSL certificates.
Solution options:
My preference is option #3 - config file!
Option 1. AWS_CA_BUNDLE
# Debian: export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat: export AWS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
--
Option 2. REQUESTS_CA_BUNDLE
# Debian: export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat: export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
note: this is basically the same as option #1, but relies on the implementation. If they ever change that implementation this will break. Option #1 is better.
--
Option 3. config file - MY PREFERENCE
# cat > ~/.aws/config [default] ca_bundle = /etc/ssl/certs/ca-certificates.crt
note: adjust cert file for debian/redhat
--
Option 4. add/replace cert to their embedded cert bundle. (not recommended option)
# replace their ca-certificate bundle with copy of system ca-certificate bundle cp /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore.bak cat /etc/ssl/certs/ca-certificates.crt > /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore/cacert.pem
note: adjust cert file for debian/redhat