Addressing SSL Error while Accessing AWS Services via the AWS CLI with the Netskope Client Enabled

Addressing SSL Error while Accessing AWS Services via the AWS CLI with the Netskope Client Enabled

The AWS CLI is a tool that can be used to interact with AWS services via any terminal program.

However, with the Netskope Client enabled, accessing the AWS services via the CLI causes an error as:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

This article describes the steps necessary to remediate this error and access AWS services via the AWS CLI tool with the Netskope Client enabled.

Root Cause

A user will typically set up their AWS using the command as below:

aws configure

They are then asked to enter the details about their access credentials and the region information.

Post providing this information the expected output is the connection to be established to the AWS instance. However, this setup fails.

Users might also see an error if they have a pre-configured AWS CLI and the Netskope Client is installed later.

In these scenarios, the users will see the following error message on executing commands:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Both these are caused due to a certificate error. With the Netskope Client enabled, the certificate that is presented to the AWS instance is the Netskope Client certificate. As this is not the expected certificate on AWS’s end, the authentication is not complete and the initialization fails.

AWS CLI trusts only server certs issued by CAs in its private cert store. It does not use the system certificate store which has the entry for the Netskope Client cert.

Solution

Netskope Client certs need to be made available in the AWS CLI cert store for the tool to work with Netskope.

Amazon has released a version 2 of the AWS CLI.

Use the specific solution depending on the AWS CLI version installed.

AWS CLI Version 1

Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.

Windows users require the ns_certbundle_aws_cli_v1.bat script, while Mac users require the ns_certbundle_aws_cli_v1.sh script. Go to this KB articleGo-to-Icon.png on our Support site to get these script files.

After the scripts have been downloaded, please follow the following steps:

  1. Copy the script to the users aws config folder.

  2. On Windows: C:\Users\<<user>>\.aws (substitute <<user>> to you Windows user).

  3. On Mac OS: ~/.aws

  4. Execute the script to create netskope-cert-bundle.pem.

  5. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on Win & Mac as necessary.

    aws configure set default.ca_bundle <path_to-cert_bundle>
 Instead, you can use an environment variable to set the cert bundle in the aws config
export AWS_CA_BUNDLE="~/.aws/nskp_config/netskope-cert-bundle.pem"
There are multiple ways to specify the CA certificate bundle to verify SSL certificates. Refer to Configuration and Credential File Settings for more details about setting the cert bundle. It is specific to user preference. Windows users must run the .bat file and not the .sh file.
  • (For Windows) C:\Users\<<user>>\.aws\netskope-cert-bundle.pem

  • (For Mac) ~/.aws/netskope-cert-bundle.pemOnce these certs are set, the AWS CLI should be able to access all the AWS Services.

AWS CLI Version 2

Depending on the device that the AWS CLI tool is being installed, you can download the scripts from the Support portal.

Windows users require the ns_certbundle_aws_cli_v2.bat script, while Mac users require the ns_certbundle_aws_cli_v2.sh script. Go to this KB articleGo-to-Icon.png on our Support site to get these script files.

After the scripts have been downloaded, please follow the following steps:

For Windows:

  1. Create a config folder to host the script and resulting cert bundle.

    mkdir C:\Program Files\Amazon\AWSCLIV2\nskp_config
  2. Copy the script to the config folder created above.

  3. Execute the script to create netskope-cert-bundle.pem.

  4. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in aws config.

    aws configure set default.ca_bundle “C:\Program Files\Amazon\AWSCLIV2\nskp_config\netskope-cert-bundle.pem”
    Instead, you can use an environment variable to set the cert bundle in the aws config
    export AWS_CA_BUNDLE="~/.aws/nskp_config/netskope-cert-bundle.pem"
    There are multiple ways to specify the CA certificate bundle to verify SSL certificates. Refer to Configuration and Credential File Settings for more details about setting the cert bundle. It is specific to user preference. Windows users must run the .bat file and not the .sh file.

For Mac OS:

The AWS CLI V2 allows the installation either globally for all users or for the current user. Depending on the option selected, the path where the installation occurs differs.

For global installation, the script assumes that the installation path is the default one which is: /usr/local/aws-cli
  1. Create a nskp_config folder in the .aws directory to hold the certificate bundle.

    mkdir ~/.aws/nskp_config
  2. Move the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.

    mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config
  3. Run the script

    • If the AWS CLI v2 was installed globally for all users, simply run the script:

      ./ns_certbundle_aws_cli_v2.sh
    • If the AWS CLI v2 was installed for the current user, provide the path where the AWS CLI was installed. This will be the same path as mentioned in the AWS CLI installation (in the XML file).

      ./ns_certbundle_aws_cli_v2.sh -p <aws_cli_install_path>
  4. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.

    aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem
    Instead, you can use an environment variable to set the cert bundle in the aws config
    export AWS_CA_BUNDLE="~/.aws/nskp_config/netskope-cert-bundle.pem"
    There are multiple ways to specify the CA certificate bundle to verify SSL certificates. Refer to Configuration and Credential File Settings for more details about setting the cert bundle. It is specific to user preference. Windows users must run the .bat file and not the .sh file.
Share this Doc

Addressing SSL Error while Accessing AWS Services via the AWS CLI with the Netskope Client Enabled

Or copy link

In this topic ...