AWS CLI Error with Eucalyptus HTTPS Service Endpoints (UFS)

Follow

Eucalyptus Version:  4.2.0 and Higher

Certificate Failed to Verify Error With AWS CLI 

Description

When a user is using AWS CLI against Eucalyptus 4.2.0 where the service endpoints have been configured for HTTPS [1], the following error could display:

# aws --endpoint-url https://ec2.c-06.autoqa.qa1.eucalyptus-systems.com/ ec2 describe-key-pairs --profile devops-admin [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Reason

The reason for this error is that the CA bundle for the trusted root certificate is not being loaded by AWS CLI. 

Resolution

The issue can be resolved using either one of the following methods:

  1. Passing the trusted CA root certificate using the --ca-bundle commandline argument
  2. In the .aws/config file, set the variable ca_bundle with the absolute path of the trusted CA root certificate
  3. Set the environment variable AWS_CA_BUNDLE with the absolute path to the trusted CA root certificate.

Once either of these options have been used, AWS CLI will work as expected against Eucalyptus HTTPS service endpoints.  For example:

# aws --ca-bundle euca-ca-0.crt --endpoint-url https://ec2.c-06.autoqa.qa1.eucalyptus-systems.com/ ec2 describe-key-pairs --profile devops-admin
{
"KeyPairs": [
{
"KeyName": "devops-admin",
"KeyFingerprint": "ee:4f:93:a8:87:8d:80:8d:2c:d6:d5:60:20:a3:2d:b2"
}
]
}

References

[1] https://eucalyptus.atlassian.net/browse/DOC-1699

Have more questions? Submit a request

Comments

Powered by Zendesk