Seahorse SSL certification error

[3str]

I'm using aws-sdk-core 2.0.11.pre. I'm running Ruby 2.1.5 on Windows. When I run:

require 'aws-sdk'
sqs = Aws::SQS::Resource.new(region: 'us-west-2')
q1 = sqs.get_queue_by_name(queue: 'cloud-batch-tasks')

I get the following error:

Seahorse::Client::Http::Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed from C:/Ruby21/lib/ruby/2.1.0/net/http.rb:920:in `connect'

I never got this error in aws-sdk-v1. Is this an issue of the new SDK? Thanks.

[trevorrowe]

Does the error persist if you update to the latest stable version of aws-sdk-core?

[3str]

I'm using aws-sdk-core version 2.0.11. I believe it is the latest version. The error still persists.

[trevorrowe]

Sorry, I saw you listed the .pre tag, and I mixed this up with 2.0.0.rc11. See my response in a related issue here:

#93 (comment)

Short answer is the Ruby SDK no longer bundles a SSL certificate. It relies on OpenSSL in Ruby being correctly configured. The linked issue above gives some simple work-arounds for when this is not the case.

[3str]

Thanks for your reply. However, although I followed your instructions on configuring an SSL cert bundle, I still got the same error, only the first solution (disable peer certificate verification) worked. My system is Windows 8.1, ruby 2.1.5.

[trevorrowe]

Can you share the code for how you configured the cert bundle with the SDK?

[ostap36]

Hello @trevorrowe, I've faced a similar issue as 3str. Despite downloading the cert bundle as per #93 (comment) and including the following in my code:

require 'aws-sdk-core'
Aws.config[:ssl_ca_bundle] = 'C:\temp\ca-bundle.crt'

I was still getting the cert verification failure. The culprit turned out to be the cert bundle itself, it seems to be lacking the appropriate Verisign ca root cert, that's in use by AWS endpoints. I've updated the cert bundle file with what v1 SDK used to ship with https://github.com/aws/aws-sdk-ruby/blob/master/ca-bundle.crt and then SSL verification went through just fine. Is there another more appropriate authoritative source for the bundle that's inline with AWS endpoint certs that should be used? Thank you

[3str]

Thanks ostap36. What you described is exactly what I did. I can make through the SSL verification now.

[trackzero]

Oh, sweet baby cheeses that was a pain in the ass to track down. Thanks, ostap36. I was about to get all murdery & whatnot.

[trevorrowe]

I'm leaving this issue open. We are still evaluating how best to handle this experience. On one hand, we do not want to own the responsibility and security concerns along with bundling an SSL cert bundle with the SDK. Previously we've been asked fairly by users that package the SDK up for various distros to remove this so the SDK can rely on the system cert. These are the primary reasons why the v2 SDK does not bundle a cert.

That said, I understand that there is developer pain when the Ruby OpenSSL cert is not available or correctly configured by default (seems to be common with Windows Ruby installations). I'm open to suggestions.

[mikesimons]

Just ran in to #93 when testing an upgrade from 1.34.1 -> 2.0.30 on Windows 8.1 & ChefDK 0.4.0.

How about bundling the cert disabled by default for linux platforms but enabled for windows? I've had similar experiences supporting windows users w/ ruby; the certs are almost universally either not available or outdated.

Either an env flag or Aws.config[:enable_aws_ssl_ca_bundle] could be used to manually turn it on.

Perhaps also a retry limit if there isn't one (didn't seem to be here though that could be the app at fault) and a tailored error message augmenting the failure about ca cert bundle possibly being unavailable / invalid etc

[adriaanm]

FWIW, after an upgrade to aws v2 I ran into this with chef on amazon linux and ubuntu, where I managed to make chef-client (and seahorse) happy again as follows:

• SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt chef-client (ubuntu)
• SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt chef-client (amazon linux)

(EDIT: see https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/, https://github.com/opscode-cookbooks/chef-client#attributes for more info)

[trevorrowe]

Version 2.1.0 of aws-sdk-core has shipped and this now includes a bundled certificate that is disabled by default. If you are running into issues with your environment not having access to a CA cert bundle you can run the following command after you require the sdk:

Aws.use_bundled_cert!

[zeenatautomationplace]

@trevorrowe how to download the ca.bundle.crt from ithub as it is a text file. pls help me

[zeenatautomationplace]

@trevorrowe i am getting this error when i tried "aws sdk core solution"
Error
C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/aws-sdk-core-2.1.1/lib/seahorse/client/pl
ugins/raise_response_errors.rb:15:in `call': Aws::S3::Errors::BadRequest

[trevorrowe]

@attabot That error indicates that you have successfully made a HTTP request with SSL. That means the bundled cert has resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem with your request. Feel free to jump into our Gitter channel and we can help you debug your issue.

[zeenatautomationplace]

hey this works! can u suggest any tutorial or source to learn automating
aws with rpec

On Tue, Jun 23, 2015 at 10:17 PM, Trevor Rowe notifications@github.com
wrote:

@attabot https://github.com/attabot That error indicates that you have
successfully made a HTTP request with SSL. That means the bundled cert has
resolved this issue.

The Aws::S3::Errors::BadRequest indicates there is some other problem
with your request. Feel free to jump into our Gitter channel
http://gitter.im/aws/aws-sdk-ruby and we can help you debug your issue.

—
Reply to this email directly or view it on GitHub
#166 (comment)
.

[habelson]

I am trying to use the kitchen-ec2 driver for test kitchen, and I am unsure of where I should put:

Aws.use_bundled_cert!

in order to avoid this issue

[StevenHarlow]

I am running into this issue with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4, and carrierwave 0.11.0 on OSX Yosemite.

I have unsuccessfully tried using Aws.config[:ssl_ca_bundle] = '/ca-bundle.crt' (with ca-bundle.crt in the application root), with the cert found here: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

I have also tried adding

    require 'aws-sdk-core'
    Aws.use_bundled_cert!

to my carrierwave.rb file before (and also tried after) the Carrerwave.configure block

Has there been a fix to this?

[heaven]

Seeing this same error with paperclip on heroku.

[trevorrowe]

@heaven You can call Aws.use_bundled_cert! as a workaround. If this doesn't resolve your issue, please open an issue on our main repo here: github.com/aws/aws-sdk-ruby/issues

[heaven]

Hi, sorry it was my mistake, everything is good with the cert, I had a wrong region selected.