Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Cannot issue requests #93
I have code like
My credentials are valid and allow me permission to list roles.
Instead, I get the stack trace (further below).
Googling turned up https://forums.aws.amazon.com/thread.jspa?threadID=85553 - is there a similar option I should be setting in v2? I have never needed to before (apparently an option was added in 1.3.3), and need a bit of help to get past this.
I also found this suggestion for a related monkey patch but haven't tried it.
Prior to rc11, the SDK shipped with a SSL CA bundle. This was used when making HTTPS requests to verify the peer SSL certificates.
The SDK now relies on the OpenSSL installation on the system to have the correct cert configured. My guess is your Windows Ruby installation does not have a cert available.
There are two ways to resolve this issue:
Disabling the peer verification will work, but I strongly recommend against this for security reasons. The SDK feature for disabling this check is primarily for internal testing.
# I strongly recommend never doing this Aws.config[:ssl_verify_peer] = false
The better solution requires correctly configuring a SSL CA bundle for your system. Most of the time, this happens when you install Ruby. I imagine the Ruby installer is possibly not doing this correctly, or at all. The default behavior for Net::HTTP is to not verify certificates. :(
The following should work:
Aws.config[:ssl_ca_bundle] = '/path/to/ca-bundle.crt'
I found instructions on StackOverflow for how to configure the path to a CA bundle via ENV on windows: http://stackoverflow.com/questions/5720484/how-to-solve-certificate-verify-failed-on-windows#answer-16134586
I'm guessing this would eliminate the need to configure the SDK, and should make it available to
I should also add, that we stopped including a ca bundle for security reasons. Downstream consumers, like linux distro maintainers, that create packages from the SDK prefer for the system cert to be used. Hopefully environments without a default configured cert are un-common. If this is a common problem, we may need to revisit the ensure a good default experience.