AWS SSL Certificate issue --ca-bundle AWS_CA_BUNDLE

gistfile1.txt

This gets around the issue seen below when trying to run AWS CLI commands. Some networking devices that intercept the traffic can act like a main in the middle so can cause this issue

$ aws s3 ls

SSL validation failed for https://s3.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)


There are a few ways to fix this, AWS docs say you can add the line for ca_bundle to the ~/.aws/config file but this didn't work for me as it was being overridden by a global environment variable. 

[default]
region = eu-west-1
output = json
ca_bundle = path/to/ca-cert/cacert.pem


From a bash shell type the command below to see if you have an existing environment variable set

  env | grep AWS_CA_BUNDLE
  
  It there is nothing that comes back then try the config file fix above. If there is something set then you may need to override it by setting the variable to the point to the correct path
  
  I did this with the following line in my .bash_profile file. 
  
  export AWS_CA_BUNDLE=/path/to/ca-cert/cacert.pem
  
  Restart your shell and try the env command again, it should have been updated. 
  Then try the AWS commands again and they should work
  
  References = https://docs.amazonaws.cn/en_us/cli/latest/userguide/cli-configure-files.html#cli-configure-files-global

I just updated to 2.13.34 and it looks to be following the ca_bundle config file setting now. I don't see anything in the release notes though for any fix, so (shrug).

Strike that, looks like the certs must have been cached or something, as it's no longer honoring the config file and I've had to manually add the cert of our forward proxy to "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem" in order for it to work. Underlying issue still looks to be there.