Skip to main content

Netskope Help

Addressing SSL Error while Accessing AWS Services via the AWS CLI with the Netskope Client Enabled

The AWS CLI is a tool that can be used to interact with AWS services via any terminal program.

However, with the Netskope Client enabled, accessing the AWS services via the CLI causes an error as:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

This article describes the steps necessary to remediate this error and access AWS services via the AWS CLI tool with the Netskope Client enabled.

Root Cause

A user will typically set up their AWS using the command as below:

aws configure

They are then asked to enter the details about their access credentials and the region information.

Post providing this information the expected output is the connection to be established to the AWS instance. However, this setup fails.

Users might also see an error if they have a pre-configured AWS CLI and the Netskope Client is installed later.

In these scenarios, the users will see the following error message on executing commands:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Both these are caused due to a certificate error. With the Netskope Client enabled, the certificate that is presented to the AWS instance is the Netskope Client certificate. As this is not the expected certificate on AWS’s end, the authentication is not complete and the initialization fails.

AWS CLI trusts only server certs issued by CAs in its private cert store. It does not use the system certificate store which has the entry for the Netskope Client cert.

Solution

Netskope Client certs need to be made available in the AWS CLI cert store for the tool to work with Netskope.

Amazon has released a version 2 of the AWS CLI.

Use the specific solution depending on the AWS CLI version installed.

AWS CLI Version 1

Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.

Windows users require the ns_certbundle_aws_cli_v1.bat script, while Mac users require the ns_certbundle_aws_cli_v1.sh script. Go to this KB articleGo-to-Icon.png on our Support site to get these script files.

After the scripts have been downloaded, please follow the following steps:

  1. Copy the script to the users aws config folder.

  2. On Windows: C:\Users\<<user>>\.aws (substitute <<user>> to you windows user).

  3. On Mac OS: ~/.aws

  4. Execute the script to create the netskope-cert-bundle.pem

  5. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on Win & Mac as necessary.

    aws configure set default.ca_bundle <path_to-cert_bundle>

    (For Windows) C:\Users\<<user>>\.aws\netskope-cert-bundle.pem

    (For Mac) ~/.aws/netskope-cert-bundle.pem

    Once these certs are set, the AWS CLI should be able to access all the AWS Services.

AWS CLI Version 2

Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.

Windows users require the ns_certbundle_aws_cli_v2.bat script, while Mac users require the ns_certbundle_aws_cli_v2.sh script. Go to this KB articleGo-to-Icon.png on our Support site to get these script files.

After the scripts have been downloaded, please follow the following steps:

For Windows:

  1. Create a config folder to host the script and resulting cert bundle

    mkdir C:\Program Files\Amazon\AWSCLIV2\nskp_config
  2. Copy the script to the config folder created above.

  3. Execute the script to create the netskope-cert-bundle.pem.

  4. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in aws config.

    aws configure set default.ca_bundle “C:\Program Files\Amazon\AWSCLIV2\nskp_config\netskope-cert-bundle.pem”

For Mac OS:

The AWS CLI V2 allows the installation either globally for all users or for the current user. Depending on the option selected, the path where the installation occurs differs.

Please note that for the global installation, the script assumes that the installation path is the default one which is:

/usr/local/aws-cli
  1. Create a nskp_config folder in the .aws directory to hold the certificate bundle

    mkdir ~/.aws/nskp_config
  2. Move the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.

    mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config
  3. Run the script

    1. If the AWS CLI v2 was installed globally for all users, simply run the script:

      ./ns_certbundle_aws_cli_v2.sh
    2. If the AWS CLI v2 was installed for the current user, provide the path where the AWS CLI was installed. This will be the same path as mentioned in the AWS CLI installation (in the XML file)

      ./ns_certbundle_aws_cli_v2.sh -p <aws_cli_install_path>
  4. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.

    aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem