aws-sam-cli
aws-sam-cli copied to clipboard
aws
SSL proxy causing issues with deploy
Description
I know there are some issues already created for 'sam build' in an environment with an SSL intercept and I think I have resolved those on my local Windows machine, but I don't seem to be able to get around this error when using 'sam deploy' I am getting this error:
Botocore Exception : SSL validation failed for https://cloudformation.us-east-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
I don't see any way to get boto to be aware of my cert bundle that got me around the other tools. It would be THE BEST if there was a --verify-ssl-cert=false that could be passed to all the subsequent tools that sam depends on.
Maybe I need to hard code a boto flag and recompile?
Steps to reproduce
- Have an untrusted intercepting proxy.
- try to deploy with
sam deploy --template-file packaged.yaml --stack-name demo-stack --capabilities CAPABILITY_IAM --debug
Observed result
Botocore Exception : SSL validation failed for https://cloudformation.us-east-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
Expected result
Success deploying
Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
- OS: Windows 10
-
sam --version: SAM CLI, version 0.43.0
Add --debug flag to command you are running
@paladinu Why would you want to skip ssl verification all together? Do you have a CA Bundle you are using instead? If so, have you tried setting AWS_CA_BUNDLE to that bundle?
Relevant docs: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#environment-variable-configuration
I have AWS_CA_BUNDLE set and SAM seems to be ignoring it as I also get the CERTIFICATE_VERIFY_FAILED error unfortunately. Allowing a --no-verify-ssl option would be ideal.
I’m not sure how I can use SAM while on my VPN at work at the moment without a workaround.
@jfuss would you accept a pull request allowing specifying a --no-verify-ssl parameter which would translate into adding verify=False in the boto3 clients?
@jfuss I tried setting ca_bundle in my .aws/config as well, but unfortunately that didn't work either. We use IronPort devices at work which are MITM'ing all SSL traffic and we've even whitelisted 'cloudformation.us-east-1.amazonaws.com', but it's still not working.
SSL validation failed for https://cloudformation.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)
The only thing that does seem to work is using aws --no-verify-ssl cloudformation deploy --template-file packaged-template.yml ....
@jplock Check out #1930. The env var should be working.
Hi Jacob,
This option is not working. I am able to deploy to us-west-2, but not able to deploy to us-east-1. Are there any other factors that can cause this behavior
botocore.exceptions.SSLError: SSL validation failed for https://aws-sam-cli-managed-default-samclisourcebucket-xxxx.s3.amazonaws.com/<stack-name>/xxx.template [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1124)
I was working for me and then suddenly it stopped. My corporate proxy issue temporary certificate which was expired. I have removed all my expired certs, and added new one. Then I ran sudo update-ca-certificates and it started working again.
For me, any of the techniques seting env variable or putting in config file WORKS FOR AWS CLI ONLY but DOESN'T WORK for SAM CLI
similar as for jplock
--region parameter not to talk to wrong region didnt help
Are you saying that both ENV or config should work also for SAM CLI?
