Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sso login and configure commands do not respect ssl ca bundle settings #8292

Closed
atheiman opened this issue Nov 2, 2023 · 4 comments
Closed
Assignees
Labels
bug This issue is a bug. duplicate This issue is a duplicate.

Comments

@atheiman
Copy link
Contributor

atheiman commented Nov 2, 2023

Describe the bug

aws configure sso and aws sso login commands do not respect --ca-bundle or --no-verify-ssl or the AWS_CA_BUNDLE environment variables.

Expected Behavior

Running aws configure sso and aws sso login should load ca bundle file from env var AWS_CA_BUNDLE specified path. Also --no-verify-ssl be used if specified.

Current Behavior

Running aws configure sso and aws sso login only use the ca bundle file included in the install, no matter if AWS_CA_BUNDLE or --no-verify-ssl are set. This was observed on Windows in command prompt and in powershell. Not sure if it affects other platforms.

SSL validation failed for https://oidc.us-gov-west-1.amazonaws.com/client/register [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)

To use an internal CA cert, we had to manually modify Amazon/AWSCLIV2/awscli/botocore/cacert.pem within the aws cli installation, and add our ca cert to the file.

Reproduction Steps

Self explanatory based on above.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.13.27 Python/3.11.6 Windows10 exe/AMD64 prompt/off

Environment details (OS name and version, etc.)

Windows 10, command prompt and powershell

@atheiman atheiman added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 2, 2023
@atheiman
Copy link
Contributor Author

atheiman commented Nov 2, 2023

Looks like this might a botocore issue, because we just ran into same issue with boto with running git-remote-codecommit using an sso / identity center role. We had to add the cert to certifi python package cacert.pem file to get past that

@tim-finnigan tim-finnigan self-assigned this Nov 8, 2023
@tim-finnigan
Copy link
Contributor

tim-finnigan commented Nov 8, 2023

Hi @atheiman thanks for creating this issue. A related issue was opened earlier this year: #7602. As mentioned there, the team confirmed the issue and will need to investigate it further. I'm going to close this as a duplicate but will try following up with the team for any updates.

@tim-finnigan tim-finnigan added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 8, 2023
Copy link

github-actions bot commented Nov 8, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

@joaocc
Copy link

joaocc commented Feb 9, 2024

Not sure if this helps, but we were able to get it to work, with some caveats.
in this version aws-cli/2.15.18 Python/3.11.6 Linux/6.6.12-linuxkit exe/aarch64.debian.11 prompt/off via AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.

In debian, all we needed to do was copy the cert (in PEM format but .crt extension) to /usr/local/share/ca-certificates followed by a update-ca-certificates
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. duplicate This issue is a duplicate.
Projects
None yet
Development

No branches or pull requests

3 participants