Seahorse SSL certification error #166
Comments
|
Does the error persist if you update to the latest stable version of aws-sdk-core? |
|
I'm using aws-sdk-core version 2.0.11. I believe it is the latest version. The error still persists. |
|
Sorry, I saw you listed the .pre tag, and I mixed this up with 2.0.0.rc11. See my response in a related issue here: Short answer is the Ruby SDK no longer bundles a SSL certificate. It relies on OpenSSL in Ruby being correctly configured. The linked issue above gives some simple work-arounds for when this is not the case. |
|
Thanks for your reply. However, although I followed your instructions on configuring an SSL cert bundle, I still got the same error, only the first solution (disable peer certificate verification) worked. My system is Windows 8.1, ruby 2.1.5. |
|
Can you share the code for how you configured the cert bundle with the SDK? |
|
Hello @trevorrowe, I've faced a similar issue as 3str. Despite downloading the cert bundle as per #93 (comment) and including the following in my code: I was still getting the cert verification failure. The culprit turned out to be the cert bundle itself, it seems to be lacking the appropriate Verisign ca root cert, that's in use by AWS endpoints. I've updated the cert bundle file with what v1 SDK used to ship with |
|
Thanks ostap36. What you described is exactly what I did. I can make through the SSL verification now. |
|
Oh, sweet baby cheeses that was a pain in the ass to track down. Thanks, ostap36. I was about to get all murdery & whatnot. |
|
I'm leaving this issue open. We are still evaluating how best to handle this experience. On one hand, we do not want to own the responsibility and security concerns along with bundling an SSL cert bundle with the SDK. Previously we've been asked fairly by users that package the SDK up for various distros to remove this so the SDK can rely on the system cert. These are the primary reasons why the v2 SDK does not bundle a cert. That said, I understand that there is developer pain when the Ruby OpenSSL cert is not available or correctly configured by default (seems to be common with Windows Ruby installations). I'm open to suggestions. |
|
Just ran in to #93 when testing an upgrade from 1.34.1 -> 2.0.30 on Windows 8.1 & ChefDK 0.4.0. How about bundling the cert disabled by default for linux platforms but enabled for windows? I've had similar experiences supporting windows users w/ ruby; the certs are almost universally either not available or outdated. Either an env flag or Perhaps also a retry limit if there isn't one (didn't seem to be here though that could be the app at fault) and a tailored error message augmenting the failure about ca cert bundle possibly being unavailable / invalid etc |
|
FWIW, after an upgrade to aws v2 I ran into this with chef on amazon linux and ubuntu, where I managed to make chef-client (and seahorse) happy again as follows:
(EDIT: see https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/, https://github.com/opscode-cookbooks/chef-client#attributes for more info) |
|
Version 2.1.0 of Aws.use_bundled_cert! |
|
@trevorrowe how to download the ca.bundle.crt from ithub as it is a text file. pls help me |
|
@trevorrowe i am getting this error when i tried "aws sdk core solution" |
|
@attabot That error indicates that you have successfully made a HTTP request with SSL. That means the bundled cert has resolved this issue. The |
|
hey this works! can u suggest any tutorial or source to learn automating On Tue, Jun 23, 2015 at 10:17 PM, Trevor Rowe notifications@github.com
|
|
I am trying to use the kitchen-ec2 driver for test kitchen, and I am unsure of where I should put: Aws.use_bundled_cert! in order to avoid this issue |
On Mac OS X (and may be other platforms, didn't test), any usage of aws-sdk-core seems to fail with the following message: [ERROR] SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed The fix is documented here amazon-archives/aws-sdk-core-ruby#166 (comment)
|
I am running into this issue with ruby 2.3.1, Rails 4.1.8, aws-sdk-core 2.3.4, and carrierwave 0.11.0 on OSX Yosemite. I have unsuccessfully tried using Aws.config[:ssl_ca_bundle] = '/ca-bundle.crt' (with ca-bundle.crt in the application root), with the cert found here: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt I have also tried adding to my carrierwave.rb file before (and also tried after) the Carrerwave.configure block Has there been a fix to this? |
|
Seeing this same error with paperclip on heroku. |
|
@heaven You can call |
|
Hi, sorry it was my mistake, everything is good with the cert, I had a wrong region selected. |
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
The sensu ruby install on Windows doesn't include the proper certs (or if it does they're not loaded properly) to connect to AWS. `@sns.publish` generates an error like: ``` C:/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Seahorse::Client::NetworkingError) ``` Using the cert bundle included with the aws-sdk-core gem should work around this. Sourced from amazon-archives/aws-sdk-core-ruby#166 (comment)
I'm using aws-sdk-core 2.0.11.pre. I'm running Ruby 2.1.5 on Windows. When I run:
require 'aws-sdk'
sqs = Aws::SQS::Resource.new(region: 'us-west-2')
q1 = sqs.get_queue_by_name(queue: 'cloud-batch-tasks')
I get the following error:
Seahorse::Client::Http::Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed from C:/Ruby21/lib/ruby/2.1.0/net/http.rb:920:in `connect'
I never got this error in aws-sdk-v1. Is this an issue of the new SDK? Thanks.
The text was updated successfully, but these errors were encountered: