Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SSL proxy causing issues with deploy

See original GitHub issue

Description

I know there are some issues already created for ‘sam build’ in an environment with an SSL intercept and I think I have resolved those on my local Windows machine, but I don’t seem to be able to get around this error when using ‘sam deploy’ I am getting this error:

Botocore Exception : SSL validation failed for https://cloudformation.us-east-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)

I don’t see any way to get boto to be aware of my cert bundle that got me around the other tools. It would be THE BEST if there was a --verify-ssl-cert=false that could be passed to all the subsequent tools that sam depends on.

Maybe I need to hard code a boto flag and recompile?

Steps to reproduce

Have an untrusted intercepting proxy.
try to deploy with sam deploy --template-file packaged.yaml --stack-name demo-stack --capabilities CAPABILITY_IAM --debug

Observed result

Expected result

Success deploying

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: Windows 10
sam --version: SAM CLI, version 0.43.0

Add --debug flag to command you are running

Issue Analytics

State:
Created 4 years ago
Reactions:6
Comments:9 (2 by maintainers)

Top GitHub Comments

2reactions

jplockcommented, Apr 23, 2020

@jfuss I tried setting ca_bundle in my .aws/config as well, but unfortunately that didn’t work either. We use IronPort devices at work which are MITM’ing all SSL traffic and we’ve even whitelisted ‘cloudformation.us-east-1.amazonaws.com’, but it’s still not working.

SSL validation failed for https://cloudformation.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

The only thing that does seem to work is using aws --no-verify-ssl cloudformation deploy --template-file packaged-template.yml ....

0reactions

igorantoliccommented, Aug 18, 2022

For me, any of the techniques seting env variable or putting in config file WORKS FOR AWS CLI ONLY but DOESN’T WORK for SAM CLI

similar as for jplock

–region parameter not to talk to wrong region didnt help

Are you saying that both ENV or config should work also for SAM CLI?

Top Results From Across the Web

SSL proxy causing issues with deploy - aws/aws-sam-cli

Description I know there are some issues already created for 'sam build' in an environment with an SSL intercept and I think I...

What are the risks associated with SSL interception in an ...

The complexities involved in deploying a centralized SSL proxy may create holes in your security policy that are unexpected, and/or not maintained. A ......

Problem with SSL while deploy Reverse Proxy on Docker

The ssl_ciphers configuration line is broken into multiple lines instead of having everything in a single line with no spaces in the cipher ......

QRadar: Deploy changes times out due to proxy configuration ...

Deploy changes and replication can fail if there is a proxy that is configured between the QRadar® Console and managed hosts, which can...

SSL Proxy Deployment Guide - TechDocs

In such cases the SSL Proxy intercepts the SSL connection ... page to the browser showing the cause of the error. In addition,...