New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seahorse SSL certification error #166

Closed
3str opened this Issue Dec 2, 2014 · 21 comments

Comments

Projects
None yet
10 participants
@3str

3str commented Dec 2, 2014

I'm using aws-sdk-core 2.0.11.pre. I'm running Ruby 2.1.5 on Windows. When I run:

require 'aws-sdk'
sqs = Aws::SQS::Resource.new(region: 'us-west-2')
q1 = sqs.get_queue_by_name(queue: 'cloud-batch-tasks')

I get the following error:

Seahorse::Client::Http::Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed from C:/Ruby21/lib/ruby/2.1.0/net/http.rb:920:in `connect'

I never got this error in aws-sdk-v1. Is this an issue of the new SDK? Thanks.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Dec 2, 2014

Member

Does the error persist if you update to the latest stable version of aws-sdk-core?

Member

trevorrowe commented Dec 2, 2014

Does the error persist if you update to the latest stable version of aws-sdk-core?

@3str

This comment has been minimized.

Show comment
Hide comment
@3str

3str Dec 2, 2014

I'm using aws-sdk-core version 2.0.11. I believe it is the latest version. The error still persists.

3str commented Dec 2, 2014

I'm using aws-sdk-core version 2.0.11. I believe it is the latest version. The error still persists.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Dec 2, 2014

Member

Sorry, I saw you listed the .pre tag, and I mixed this up with 2.0.0.rc11. See my response in a related issue here:

#93 (comment)

Short answer is the Ruby SDK no longer bundles a SSL certificate. It relies on OpenSSL in Ruby being correctly configured. The linked issue above gives some simple work-arounds for when this is not the case.

Member

trevorrowe commented Dec 2, 2014

Sorry, I saw you listed the .pre tag, and I mixed this up with 2.0.0.rc11. See my response in a related issue here:

#93 (comment)

Short answer is the Ruby SDK no longer bundles a SSL certificate. It relies on OpenSSL in Ruby being correctly configured. The linked issue above gives some simple work-arounds for when this is not the case.

@3str

This comment has been minimized.

Show comment
Hide comment
@3str

3str Dec 2, 2014

Thanks for your reply. However, although I followed your instructions on configuring an SSL cert bundle, I still got the same error, only the first solution (disable peer certificate verification) worked. My system is Windows 8.1, ruby 2.1.5.

3str commented Dec 2, 2014

Thanks for your reply. However, although I followed your instructions on configuring an SSL cert bundle, I still got the same error, only the first solution (disable peer certificate verification) worked. My system is Windows 8.1, ruby 2.1.5.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Dec 4, 2014

Member

Can you share the code for how you configured the cert bundle with the SDK?

Member

trevorrowe commented Dec 4, 2014

Can you share the code for how you configured the cert bundle with the SDK?

@ostap36

This comment has been minimized.

Show comment
Hide comment
@ostap36

ostap36 Dec 5, 2014

Hello @trevorrowe, I've faced a similar issue as 3str. Despite downloading the cert bundle as per #93 (comment) and including the following in my code:

require 'aws-sdk-core'
Aws.config[:ssl_ca_bundle] = 'C:\temp\ca-bundle.crt'

I was still getting the cert verification failure. The culprit turned out to be the cert bundle itself, it seems to be lacking the appropriate Verisign ca root cert, that's in use by AWS endpoints. I've updated the cert bundle file with what v1 SDK used to ship with https://github.com/aws/aws-sdk-ruby/blob/master/ca-bundle.crt and then SSL verification went through just fine. Is there another more appropriate authoritative source for the bundle that's inline with AWS endpoint certs that should be used? Thank you

ostap36 commented Dec 5, 2014

Hello @trevorrowe, I've faced a similar issue as 3str. Despite downloading the cert bundle as per #93 (comment) and including the following in my code:

require 'aws-sdk-core'
Aws.config[:ssl_ca_bundle] = 'C:\temp\ca-bundle.crt'

I was still getting the cert verification failure. The culprit turned out to be the cert bundle itself, it seems to be lacking the appropriate Verisign ca root cert, that's in use by AWS endpoints. I've updated the cert bundle file with what v1 SDK used to ship with https://github.com/aws/aws-sdk-ruby/blob/master/ca-bundle.crt and then SSL verification went through just fine. Is there another more appropriate authoritative source for the bundle that's inline with AWS endpoint certs that should be used? Thank you

@3str

This comment has been minimized.

Show comment
Hide comment
@3str

3str Dec 5, 2014

Thanks ostap36. What you described is exactly what I did. I can make through the SSL verification now.

3str commented Dec 5, 2014

Thanks ostap36. What you described is exactly what I did. I can make through the SSL verification now.

@trackzero

This comment has been minimized.

Show comment
Hide comment
@trackzero

trackzero Dec 16, 2014

Oh, sweet baby cheeses that was a pain in the ass to track down. Thanks, ostap36. I was about to get all murdery & whatnot.

trackzero commented Dec 16, 2014

Oh, sweet baby cheeses that was a pain in the ass to track down. Thanks, ostap36. I was about to get all murdery & whatnot.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Jan 12, 2015

Member

I'm leaving this issue open. We are still evaluating how best to handle this experience. On one hand, we do not want to own the responsibility and security concerns along with bundling an SSL cert bundle with the SDK. Previously we've been asked fairly by users that package the SDK up for various distros to remove this so the SDK can rely on the system cert. These are the primary reasons why the v2 SDK does not bundle a cert.

That said, I understand that there is developer pain when the Ruby OpenSSL cert is not available or correctly configured by default (seems to be common with Windows Ruby installations). I'm open to suggestions.

Member

trevorrowe commented Jan 12, 2015

I'm leaving this issue open. We are still evaluating how best to handle this experience. On one hand, we do not want to own the responsibility and security concerns along with bundling an SSL cert bundle with the SDK. Previously we've been asked fairly by users that package the SDK up for various distros to remove this so the SDK can rely on the system cert. These are the primary reasons why the v2 SDK does not bundle a cert.

That said, I understand that there is developer pain when the Ruby OpenSSL cert is not available or correctly configured by default (seems to be common with Windows Ruby installations). I'm open to suggestions.

@mikesimons

This comment has been minimized.

Show comment
Hide comment
@mikesimons

mikesimons Mar 17, 2015

Just ran in to #93 when testing an upgrade from 1.34.1 -> 2.0.30 on Windows 8.1 & ChefDK 0.4.0.

How about bundling the cert disabled by default for linux platforms but enabled for windows? I've had similar experiences supporting windows users w/ ruby; the certs are almost universally either not available or outdated.

Either an env flag or Aws.config[:enable_aws_ssl_ca_bundle] could be used to manually turn it on.

Perhaps also a retry limit if there isn't one (didn't seem to be here though that could be the app at fault) and a tailored error message augmenting the failure about ca cert bundle possibly being unavailable / invalid etc

mikesimons commented Mar 17, 2015

Just ran in to #93 when testing an upgrade from 1.34.1 -> 2.0.30 on Windows 8.1 & ChefDK 0.4.0.

How about bundling the cert disabled by default for linux platforms but enabled for windows? I've had similar experiences supporting windows users w/ ruby; the certs are almost universally either not available or outdated.

Either an env flag or Aws.config[:enable_aws_ssl_ca_bundle] could be used to manually turn it on.

Perhaps also a retry limit if there isn't one (didn't seem to be here though that could be the app at fault) and a tailored error message augmenting the failure about ca cert bundle possibly being unavailable / invalid etc

@adriaanm

This comment has been minimized.

Show comment
Hide comment
@adriaanm

adriaanm Apr 29, 2015

FWIW, after an upgrade to aws v2 I ran into this with chef on amazon linux and ubuntu, where I managed to make chef-client (and seahorse) happy again as follows:

  • SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt chef-client (ubuntu)
  • SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt chef-client (amazon linux)

(EDIT: see https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/, https://github.com/opscode-cookbooks/chef-client#attributes for more info)

adriaanm commented Apr 29, 2015

FWIW, after an upgrade to aws v2 I ran into this with chef on amazon linux and ubuntu, where I managed to make chef-client (and seahorse) happy again as follows:

  • SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt chef-client (ubuntu)
  • SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt chef-client (amazon linux)

(EDIT: see https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/, https://github.com/opscode-cookbooks/chef-client#attributes for more info)

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Jun 12, 2015

Member

Version 2.1.0 of aws-sdk-core has shipped and this now includes a bundled certificate that is disabled by default. If you are running into issues with your environment not having access to a CA cert bundle you can run the following command after you require the sdk:

Aws.use_bundled_cert!
Member

trevorrowe commented Jun 12, 2015

Version 2.1.0 of aws-sdk-core has shipped and this now includes a bundled certificate that is disabled by default. If you are running into issues with your environment not having access to a CA cert bundle you can run the following command after you require the sdk:

Aws.use_bundled_cert!
@attabot

This comment has been minimized.

Show comment
Hide comment
@attabot

attabot Jun 23, 2015

@trevorrowe how to download the ca.bundle.crt from ithub as it is a text file. pls help me

attabot commented Jun 23, 2015

@trevorrowe how to download the ca.bundle.crt from ithub as it is a text file. pls help me

@attabot

This comment has been minimized.

Show comment
Hide comment
@attabot

attabot Jun 23, 2015

@trevorrowe i am getting this error when i tried "aws sdk core solution"
Error
C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/aws-sdk-core-2.1.1/lib/seahorse/client/pl
ugins/raise_response_errors.rb:15:in `call': Aws::S3::Errors::BadRequest

attabot commented Jun 23, 2015

@trevorrowe i am getting this error when i tried "aws sdk core solution"
Error
C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/aws-sdk-core-2.1.1/lib/seahorse/client/pl
ugins/raise_response_errors.rb:15:in `call': Aws::S3::Errors::BadRequest

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Jun 23, 2015

Member

@attabot That error indicates that you have successfully made a HTTP request with SSL. That means the bundled cert has resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem with your request. Feel free to jump into our Gitter channel and we can help you debug your issue.

Member

trevorrowe commented Jun 23, 2015

@attabot That error indicates that you have successfully made a HTTP request with SSL. That means the bundled cert has resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem with your request. Feel free to jump into our Gitter channel and we can help you debug your issue.

@attabot

This comment has been minimized.

Show comment
Hide comment
@attabot

attabot Jun 24, 2015

hey this works! can u suggest any tutorial or source to learn automating
aws with rpec

On Tue, Jun 23, 2015 at 10:17 PM, Trevor Rowe notifications@github.com
wrote:

@attabot https://github.com/attabot That error indicates that you have
successfully made a HTTP request with SSL. That means the bundled cert has
resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem
with your request. Feel free to jump into our Gitter channel
http://gitter.im/aws/aws-sdk-ruby and we can help you debug your issue.


Reply to this email directly or view it on GitHub
#166 (comment)
.

attabot commented Jun 24, 2015

hey this works! can u suggest any tutorial or source to learn automating
aws with rpec

On Tue, Jun 23, 2015 at 10:17 PM, Trevor Rowe notifications@github.com
wrote:

@attabot https://github.com/attabot That error indicates that you have
successfully made a HTTP request with SSL. That means the bundled cert has
resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem
with your request. Feel free to jump into our Gitter channel
http://gitter.im/aws/aws-sdk-ruby and we can help you debug your issue.


Reply to this email directly or view it on GitHub
#166 (comment)
.

@habelson

This comment has been minimized.

Show comment
Hide comment
@habelson

habelson Oct 23, 2015

I am trying to use the kitchen-ec2 driver for test kitchen, and I am unsure of where I should put:

Aws.use_bundled_cert!

in order to avoid this issue

habelson commented Oct 23, 2015

I am trying to use the kitchen-ec2 driver for test kitchen, and I am unsure of where I should put:

Aws.use_bundled_cert!

in order to avoid this issue

llange added a commit to llange/miam that referenced this issue Mar 10, 2016

Fix aws-sdk-core issue 'certificate verify failed'
On Mac OS X (and may be other platforms, didn't test), any usage
of aws-sdk-core seems to fail with the following message:
[ERROR] SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
The fix is documented here aws/aws-sdk-core-ruby#166 (comment)
@StevenHarlow

This comment has been minimized.

Show comment
Hide comment
@StevenHarlow

StevenHarlow May 15, 2016

I am running into this issue with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4, and carrierwave 0.11.0 on OSX Yosemite.

I have unsuccessfully tried using Aws.config[:ssl_ca_bundle] = '/ca-bundle.crt' (with ca-bundle.crt in the application root), with the cert found here: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

I have also tried adding

    require 'aws-sdk-core'
    Aws.use_bundled_cert!

to my carrierwave.rb file before (and also tried after) the Carrerwave.configure block

Has there been a fix to this?

StevenHarlow commented May 15, 2016

I am running into this issue with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4, and carrierwave 0.11.0 on OSX Yosemite.

I have unsuccessfully tried using Aws.config[:ssl_ca_bundle] = '/ca-bundle.crt' (with ca-bundle.crt in the application root), with the cert found here: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

I have also tried adding

    require 'aws-sdk-core'
    Aws.use_bundled_cert!

to my carrierwave.rb file before (and also tried after) the Carrerwave.configure block

Has there been a fix to this?

@heaven

This comment has been minimized.

Show comment
Hide comment
@heaven

heaven Jul 25, 2016

Seeing this same error with paperclip on heroku.

heaven commented Jul 25, 2016

Seeing this same error with paperclip on heroku.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Jul 25, 2016

Member

@heaven You can call Aws.use_bundled_cert! as a workaround. If this doesn't resolve your issue, please open an issue on our main repo here: github.com/aws/aws-sdk-ruby/issues

Member

trevorrowe commented Jul 25, 2016

@heaven You can call Aws.use_bundled_cert! as a workaround. If this doesn't resolve your issue, please open an issue on our main repo here: github.com/aws/aws-sdk-ruby/issues

@heaven

This comment has been minimized.

Show comment
Hide comment
@heaven

heaven Jul 25, 2016

Hi, sorry it was my mistake, everything is good with the cert, I had a wrong region selected.

heaven commented Jul 25, 2016

Hi, sorry it was my mistake, everything is good with the cert, I had a wrong region selected.

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Aug 3, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Nov 8, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Nov 8, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Nov 8, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Nov 8, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)

troyready added a commit to troyready/sensu-transport-snssqs-ng that referenced this issue Nov 8, 2016

fix windows aws ssl cert verification
The sensu ruby install on Windows doesn't include the proper certs (or
if it does they're not loaded properly) to connect to AWS.
`@sns.publish` generates an error like:

```
C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError)
```

Using the cert bundle included with the aws-sdk-core gem should work
around this.

Sourced from aws/aws-sdk-core-ruby#166 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment