sso login and configure commands do not respect ssl ca bundle settings

[atheiman]

Describe the bug

aws configure sso and aws sso login commands do not respect --ca-bundle or --no-verify-ssl or the AWS_CA_BUNDLE environment variables.

Expected Behavior

Running aws configure sso and aws sso login should load ca bundle file from env var AWS_CA_BUNDLE specified path. Also --no-verify-ssl be used if specified.

Current Behavior

Running aws configure sso and aws sso login only use the ca bundle file included in the install, no matter if AWS_CA_BUNDLE or --no-verify-ssl are set. This was observed on Windows in command prompt and in powershell. Not sure if it affects other platforms.

SSL validation failed for https://oidc.us-gov-west-1.amazonaws.com/client/register [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)

To use an internal CA cert, we had to manually modify Amazon/AWSCLIV2/awscli/botocore/cacert.pem within the aws cli installation, and add our ca cert to the file.

Reproduction Steps

Self explanatory based on above.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.13.27 Python/3.11.6 Windows10 exe/AMD64 prompt/off

Environment details (OS name and version, etc.)

Windows 10, command prompt and powershell

[atheiman]

Looks like this might a botocore issue, because we just ran into same issue with boto with running git-remote-codecommit using an sso / identity center role. We had to add the cert to certifi python package cacert.pem file to get past that

[tim-finnigan]

Hi @atheiman thanks for creating this issue. A related issue was opened earlier this year: #7602. As mentioned there, the team confirmed the issue and will need to investigate it further. I'm going to close this as a duplicate but will try following up with the team for any updates.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[joaocc]

Not sure if this helps, but we were able to get it to work, with some caveats.
in this version aws-cli/2.15.18 Python/3.11.6 Linux/6.6.12-linuxkit exe/aarch64.debian.11 prompt/off via AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.

In debian, all we needed to do was copy the cert (in PEM format but .crt extension) to /usr/local/share/ca-certificates followed by a update-ca-certificates
Thanks