Issues defining self signed cert chain in config file

[julia-mayer-self]

My org uses a VPN provider that intercepts traffic for decryption and URL filtering enforcement. I'd prefer to have the application import the self-signed cert in use by our VPN instead of using --no-verify-ssl.

I'm having inconsistent behavior with using the various cert import features. This occurs for all aws cli commands - ec2, s3, sts, but I'm most concerned about getting s3 querying working for another dev team to utilize.

I speculate there's something not right with my config file syntax that I'd like assistance verifying.
I would like to get the config file version 100% working, as that is easy to automate deployment and is one less step for devs to remember.

What works:

• --ca-bundle flag in query
  • --ca-bundle "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\VPNCA.pem" appended to the query
  • The file path is arbitrary, I've also tried referencing the cert file in my user Documents folder and it's fine
  • Command run and output:

  PS D:\Users\user> aws s3 ls --profile "my-profile" --ca-bundle "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\NetskopeCA.pem" s3://<obscured-bucket>
  2022-03-11 11:11:32   52183848 file1.exe
  2022-03-11 11:11:44    7876608 file2.txt
  

What doesn't work:

• ca_bundle in .aws/config

  • Exact profile config:

  [my-profile]
  region = us-west-2
  output  = json
  ca_bundle = "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\VPNCA.pem"
  

  • This matches the filepath used in the --ca-bundle flag
  • Issue persists when referencing a file in Documents
  • Command run and error received:

  PS D:\Users\user> aws s3 ls --profile "my-profile" s3://<obscured-bucket>
  SSL validation failed for https://<obscured-bucket>.s3.us-west-2.amazonaws.com/?list-type=2&prefix=&delimiter=%2F&encoding-type=url [Errno 2] No such file or directory
  

  • Same type of error when doing any other aws cli commands, No such file or directory persists when not specifying the CA to use in the command and instead relying on the config file definition.

Details about my environment:

• aws --version = aws-cli/2.7.6 Python/3.9.11 Windows/10 exe/AMD64 prompt/off
• Windows Server 2019 (AWS Workspaces)

[tim-finnigan]

Hi @juliamayer-self thanks for reaching out. We have a troubleshooting documentation page for this kind of SSL issue that should help: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

That error has also been reported in several older issues which I recommend looking through if you're stuck.