Cannot issue requests

[petemounce]

I'm using Windows 8.1, ruby 2.0.0-p451 x86, rubygems 2.3.0, and aws-sdk-core.rc14 (I think the last working version I've used was .rc8, but there are breaking changes between then and 14, so I haven't gone back and tried that to confirm).

I have code like

        Aws.config[:region] = opts[:region]
        personal = Aws::SharedCredentials.new(profile_name: opts[:team], path: "#{Dir.home}/.aws/credentials")
        iam = Aws::IAM::Client.new({
          credentials: personal
        })
        lr = iam.list_roles path_prefix: '/feature_roles/'

My credentials are valid and allow me permission to list roles.

Instead, I get the stack trace (further below).

Googling turned up https://forums.aws.amazon.com/thread.jspa?threadID=85553 - is there a similar option I should be setting in v2? I have never needed to before (apparently an option was added in 1.3.3), and need a bit of help to get past this.

I also found this suggestion for a related monkey patch but haven't tried it.

C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Seahorse::Client::Http::Error)
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/timeout.rb:66:in `timeout'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:857:in `start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:279:in `start_session'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:102:in `session_for'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:56:in `transmit'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:27:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/content_length.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/xml/error_handler.rb:8:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/request_signer.rb:79:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:88:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/query/handler.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/response_paging.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/user_agent.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/restful_bindings.rb:13:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/endpoint.rb:35:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_validation.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_conversion.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/request.rb:70:in `send_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/operation_methods.rb:43:in `block (2 levels) in add_operation_helpers'
        from C:/src/je/toolbox/lib/toolbox/aws_config_via_sts.rb:10:in `configure_aws'

[petemounce]

I dug up https://github.com/rubygems/rubygems/blob/e0f36770d0df08ad02beb0474a341aa3a4378f1f/History.txt#L94 too.

[petemounce]

I have another script taking a dependency on rc10, and that works.

[trevorrowe]

Prior to rc11, the SDK shipped with a SSL CA bundle. This was used when making HTTPS requests to verify the peer SSL certificates.

The SDK now relies on the OpenSSL installation on the system to have the correct cert configured. My guess is your Windows Ruby installation does not have a cert available.

There are two ways to resolve this issue:

1. disable peer certificate verification.
2. configure a valid CA bundle

Disabling the peer verification will work, but I strongly recommend against this for security reasons. The SDK feature for disabling this check is primarily for internal testing.

# I strongly recommend never doing this
Aws.config[:ssl_verify_peer] = false

The better solution requires correctly configuring a SSL CA bundle for your system. Most of the time, this happens when you install Ruby. I imagine the Ruby installer is possibly not doing this correctly, or at all. The default behavior for Net::HTTP is to not verify certificates. :(

The following should work:

• Download a cert bundle. Previously I was following instructions on this page from the libcurl project: http://curl.haxx.se/docs/caextract.html. The biggest problem is this website is not hosted over SSL. They now link to another https source: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
• Put the downloaded ca-bundle.crt file somehwere you application can reference.
• Add the following configuration to your application:

Aws.config[:ssl_ca_bundle] = '/path/to/ca-bundle.crt'

I found instructions on StackOverflow for how to configure the path to a CA bundle via ENV on windows: http://stackoverflow.com/questions/5720484/how-to-solve-certificate-verify-failed-on-windows#answer-16134586

I'm guessing this would eliminate the need to configure the SDK, and should make it available to OpenSSL by default.

[trevorrowe]

I should also add, that we stopped including a ca bundle for security reasons. Downstream consumers, like linux distro maintainers, that create packages from the SDK prefer for the system cert to be used. Hopefully environments without a default configured cert are un-common. If this is a common problem, we may need to revisit the ensure a good default experience.

[petemounce]

@trevorrowe thanks for the detailed response. I went with option 2 - download the bundle, stick it somewhere useful, define an environment variable, and configure the SDK to use the path stored in the env-var.

[pinbot]

It's only a 'non issue' once one finds this discussion and how to fix it. So maybe at least some kind of check that produced a more helpful error message would significantly improve the 'default experience'