Addressing SSL Error while Accessing AWS Services via the AWS CLI with the Netskope Client Enabled
The AWS CLI is a tool that can be used to interact with AWS services via any terminal program.
However, with the Netskope Client enabled, accessing the AWS services via the CLI causes an error as:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
This article describes the steps necessary to remediate this error and access AWS services via the AWS CLI tool with the Netskope Client enabled.
Root Cause
A user will typically set up their AWS using the command as below:
aws configure
They are then asked to enter the details about their access credentials and the region information.
Post providing this information the expected output is the connection to be established to the AWS instance. However, this setup fails.
Users might also see an error if they have a pre-configured AWS CLI and the Netskope Client is installed later.
In these scenarios, the users will see the following error message on executing commands:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Both these are caused due to a certificate error. With the Netskope Client enabled, the certificate that is presented to the AWS instance is the Netskope Client certificate. As this is not the expected certificate on AWS’s end, the authentication is not complete and the initialization fails.
AWS CLI trusts only server certs issued by CAs in its private cert store. It does not use the system certificate store which has the entry for the Netskope Client cert.
Solution
Netskope Client certs need to be made available in the AWS CLI cert store for the tool to work with Netskope.
Amazon has released a version 2 of the AWS CLI.
Use the specific solution depending on the AWS CLI version installed.
AWS CLI Version 1
Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.
Windows users require the ns_certbundle_aws_cli_v1.bat
script, while Mac users require the ns_certbundle_aws_cli_v1.sh
script. Go to this KB article on our Support site to get these script files.
After the scripts have been downloaded, please follow the following steps:
Copy the script to the users
aws config
folder.On Windows:
C:\Users\<<user>>\.aws (substitute <<user>>
to you windows user).On Mac OS:
~/.aws
Execute the script to create the
netskope-cert-bundle.pem
Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on Win & Mac as necessary.
aws configure set default.ca_bundle <path_to-cert_bundle>
(For Windows)
C:\Users\<<user>>\.aws\netskope-cert-bundle.pem
(For Mac)
~/.aws/netskope-cert-bundle.pem
Once these certs are set, the AWS CLI should be able to access all the AWS Services.
AWS CLI Version 2
Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.
Windows users require the ns_certbundle_aws_cli_v2.bat
script, while Mac users require the ns_certbundle_aws_cli_v2.sh
script. Go to this KB article on our Support site to get these script files.
After the scripts have been downloaded, please follow the following steps:
For Windows:
Create a config folder to host the script and resulting cert bundle
mkdir C:\Program Files\Amazon\AWSCLIV2\nskp_config
Copy the script to the config folder created above.
Execute the script to create the
netskope-cert-bundle.pem
.Assuming the rest of the configuration is already in place, run this command to set the cert bundle in
aws config
.aws configure set default.ca_bundle “C:\Program Files\Amazon\AWSCLIV2\nskp_config\netskope-cert-bundle.pem”
For Mac OS:
The AWS CLI V2 allows the installation either globally for all users or for the current user. Depending on the option selected, the path where the installation occurs differs.
Please note that for the global installation, the script assumes that the installation path is the default one which is:
/usr/local/aws-cli
Create a nskp_config folder in the .aws directory to hold the certificate bundle
mkdir ~/.aws/nskp_config
Move the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.
mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config
Run the script
If the AWS CLI v2 was installed globally for all users, simply run the script:
./ns_certbundle_aws_cli_v2.sh
If the AWS CLI v2 was installed for the current user, provide the path where the AWS CLI was installed. This will be the same path as mentioned in the AWS CLI installation (in the XML file)
./ns_certbundle_aws_cli_v2.sh -p <aws_cli_install_path>
Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.
aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem