Cannot issue requests #93

Closed
petemounce opened this Issue Aug 7, 2014 · 6 comments

Comments

Projects
None yet
3 participants
@petemounce
Contributor

petemounce commented Aug 7, 2014

I'm using Windows 8.1, ruby 2.0.0-p451 x86, rubygems 2.3.0, and aws-sdk-core.rc14 (I think the last working version I've used was .rc8, but there are breaking changes between then and 14, so I haven't gone back and tried that to confirm).

I have code like

        Aws.config[:region] = opts[:region]
        personal = Aws::SharedCredentials.new(profile_name: opts[:team], path: "#{Dir.home}/.aws/credentials")
        iam = Aws::IAM::Client.new({
          credentials: personal
        })
        lr = iam.list_roles path_prefix: '/feature_roles/'

My credentials are valid and allow me permission to list roles.

Instead, I get the stack trace (further below).

Googling turned up https://forums.aws.amazon.com/thread.jspa?threadID=85553 - is there a similar option I should be setting in v2? I have never needed to before (apparently an option was added in 1.3.3), and need a bit of help to get past this.

I also found this suggestion for a related monkey patch but haven't tried it.

C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Seahorse::Client::Http::Error)
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/timeout.rb:66:in `timeout'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:857:in `start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:279:in `start_session'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:102:in `session_for'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:56:in `transmit'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:27:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/content_length.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/xml/error_handler.rb:8:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/request_signer.rb:79:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:88:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/query/handler.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/response_paging.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/user_agent.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/restful_bindings.rb:13:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/endpoint.rb:35:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_validation.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_conversion.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/request.rb:70:in `send_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/operation_methods.rb:43:in `block (2 levels) in add_operation_helpers'
        from C:/src/je/toolbox/lib/toolbox/aws_config_via_sts.rb:10:in `configure_aws'
@petemounce

This comment has been minimized.

Show comment
Hide comment
@petemounce

petemounce Aug 7, 2014

Contributor

I have another script taking a dependency on rc10, and that works.

Contributor

petemounce commented Aug 7, 2014

I have another script taking a dependency on rc10, and that works.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Aug 7, 2014

Member

Prior to rc11, the SDK shipped with a SSL CA bundle. This was used when making HTTPS requests to verify the peer SSL certificates.

The SDK now relies on the OpenSSL installation on the system to have the correct cert configured. My guess is your Windows Ruby installation does not have a cert available.

There are two ways to resolve this issue:

  1. disable peer certificate verification.
  2. configure a valid CA bundle

Disabling the peer verification will work, but I strongly recommend against this for security reasons. The SDK feature for disabling this check is primarily for internal testing.

# I strongly recommend never doing this
Aws.config[:ssl_verify_peer] = false

The better solution requires correctly configuring a SSL CA bundle for your system. Most of the time, this happens when you install Ruby. I imagine the Ruby installer is possibly not doing this correctly, or at all. The default behavior for Net::HTTP is to not verify certificates. :(

The following should work:

Aws.config[:ssl_ca_bundle] = '/path/to/ca-bundle.crt'

I found instructions on StackOverflow for how to configure the path to a CA bundle via ENV on windows: http://stackoverflow.com/questions/5720484/how-to-solve-certificate-verify-failed-on-windows#answer-16134586

I'm guessing this would eliminate the need to configure the SDK, and should make it available to OpenSSL by default.

Member

trevorrowe commented Aug 7, 2014

Prior to rc11, the SDK shipped with a SSL CA bundle. This was used when making HTTPS requests to verify the peer SSL certificates.

The SDK now relies on the OpenSSL installation on the system to have the correct cert configured. My guess is your Windows Ruby installation does not have a cert available.

There are two ways to resolve this issue:

  1. disable peer certificate verification.
  2. configure a valid CA bundle

Disabling the peer verification will work, but I strongly recommend against this for security reasons. The SDK feature for disabling this check is primarily for internal testing.

# I strongly recommend never doing this
Aws.config[:ssl_verify_peer] = false

The better solution requires correctly configuring a SSL CA bundle for your system. Most of the time, this happens when you install Ruby. I imagine the Ruby installer is possibly not doing this correctly, or at all. The default behavior for Net::HTTP is to not verify certificates. :(

The following should work:

Aws.config[:ssl_ca_bundle] = '/path/to/ca-bundle.crt'

I found instructions on StackOverflow for how to configure the path to a CA bundle via ENV on windows: http://stackoverflow.com/questions/5720484/how-to-solve-certificate-verify-failed-on-windows#answer-16134586

I'm guessing this would eliminate the need to configure the SDK, and should make it available to OpenSSL by default.

@trevorrowe

This comment has been minimized.

Show comment
Hide comment
@trevorrowe

trevorrowe Aug 7, 2014

Member

I should also add, that we stopped including a ca bundle for security reasons. Downstream consumers, like linux distro maintainers, that create packages from the SDK prefer for the system cert to be used. Hopefully environments without a default configured cert are un-common. If this is a common problem, we may need to revisit the ensure a good default experience.

Member

trevorrowe commented Aug 7, 2014

I should also add, that we stopped including a ca bundle for security reasons. Downstream consumers, like linux distro maintainers, that create packages from the SDK prefer for the system cert to be used. Hopefully environments without a default configured cert are un-common. If this is a common problem, we may need to revisit the ensure a good default experience.

@petemounce

This comment has been minimized.

Show comment
Hide comment
@petemounce

petemounce Aug 8, 2014

Contributor

@trevorrowe thanks for the detailed response. I went with option 2 - download the bundle, stick it somewhere useful, define an environment variable, and configure the SDK to use the path stored in the env-var.

Contributor

petemounce commented Aug 8, 2014

@trevorrowe thanks for the detailed response. I went with option 2 - download the bundle, stick it somewhere useful, define an environment variable, and configure the SDK to use the path stored in the env-var.

@pinbot

This comment has been minimized.

Show comment
Hide comment
@pinbot

pinbot Dec 10, 2014

It's only a 'non issue' once one finds this discussion and how to fix it. So maybe at least some kind of check that produced a more helpful error message would significantly improve the 'default experience'

pinbot commented Dec 10, 2014

It's only a 'non issue' once one finds this discussion and how to fix it. So maybe at least some kind of check that produced a more helpful error message would significantly improve the 'default experience'

@velocity303 velocity303 referenced this issue in mrzarquon/puppet-ec2tags Nov 3, 2015

Open

update readme with additional information for windows #1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment