Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wget failing in SMStudio with 'Unable to locally verify the issuer's authority' #435

Open
athewsey opened this issue Jun 11, 2024 · 1 comment
Open

wget failing in SMStudio with 'Unable to locally verify the issuer's authority' #435

athewsey opened this issue Jun 11, 2024 · 1 comment

Comments

@athewsey
Copy link

Category

Compatibility Issue

🐛 Describe the bug

In the last couple of days I've noticed (in us-east-1, on two separate AWS accounts) that any time I run a wget to a HTTPS URL in SageMaker Studio (Distribution v1.8), it fails with an error like:

--2024-06-11 08:16:07--  https://aws-blogs-artifacts-public.s3.amazonaws.com/artifacts/ML-FMBT/manifest.txt
Resolving aws-blogs-artifacts-public.s3.amazonaws.com (aws-blogs-artifacts-public.s3.amazonaws.com)... 52.216.54.89, 3.5.28.235, 3.5.11.187, ...
Connecting to aws-blogs-artifacts-public.s3.amazonaws.com (aws-blogs-artifacts-public.s3.amazonaws.com)|52.216.54.89|:443... connected.
ERROR: cannot verify aws-blogs-artifacts-public.s3.amazonaws.com's certificate, issued by ‘CN=Amazon RSA 2048 M01,O=Amazon,C=US’:
  Unable to locally verify the issuer's authority.
To connect to aws-blogs-artifacts-public.s3.amazonaws.com insecurely, use `--no-check-certificate'.

An example command that shows the issue:

!mkdir -p data
!wget -O data/CC_Agreements.zip https://files.consumerfinance.gov/a/assets/Credit_Card_Agreements_2020_Q4.zip

🐛 Describe the expected behavior

These fetches used to work just fine, and it's not just S3 that's affected (I had one against https://files.consumerfinance.gov/ as well). Perhaps there's some kind of certificate configuration issue? My relevant SageMaker Domains are configured for direct internet access, so it shouldn't be a VPC problem.

Currently I'm working around this by switching to curl where possible, but that's not straightforward for scripts we're consuming that use wget internally.

Image Tags

SM Studio Distribution v1.8 (CPU), 2024-06-11
athewsey added a commit to athewsey/foundation-model-benchmarking-tool that referenced this issue Jun 11, 2024
@athewsey
fix(smstudio): Swap wget->curl in copy_s3_content
dfaf619 
Recently I've been observing wget fails in SMStudio as per:
aws/sagemaker-distribution#435 - so to get
fmbench debugged successfully in this environment I had to swap out
wget for curl calls in the `copy_s3_content` script.
@athewsey athewsey mentioned this issue Jun 11, 2024
Merged
@aws-tianquaw
Copy link
Contributor

Hi @athewsey, It seems like some permission/certificate setup issue instead of the issue with SMD images. Did you encounter any issue with the image itself?

For your use case, the fastest and easiest way to copy files from S3 is to use AWS CLI tool. For example, use aws s3 cp <s3_uri> <local_path> to download from S3 to your local file system. SMD image already have AWS CLI installed, so you should be able to use it directly. See documentation: https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@athewsey @aws-tianquaw