Open mogul opened 2 years ago
2022-04-18T12:15:26.80-0700 [APP/PROC/WEB/0] ERR raise SSLError(endpoint_url=request.url, error=e)
2022-04-18T12:15:26.80-0700 [APP/PROC/WEB/0] ERR botocore.exceptions.SSLError: SSL validation failed for https://s3-us-gov-west-1.amazonaws.com/cg-efc8a388-5300-46f2-97a7-62792fb14b53 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
I'm running into this issue when trying to get the egress proxy to work for inventory. When the public_network_egress
policy is unbound to the space (meaning public egress is not allowed), inventory crashes. When pubic egress is allowed, the inventory app comes up normally. I have narrowed the issue to the error above.
I think this might have to do with Nick's finding that we're not including all provided certificates when configuring Caddy.
I think this might have to do with Nick's finding that we're not including all provided certificates when configuring Caddy.
Oh wait, that makes no sense whatsoever... Those certs are used for the client-side connection, not the server-side connection. Oops.
OTOH, I think this might have to do with the AWS client itself only recently having grown the ability to configure the proxy-ca-bundle
. If that change has made it into a release then we might try configuring it correctly (to refer to the CA bundle that AWS provides) and see what's what.
It looks like the PR is still pending, so to test this theory we'd need to either figure out how to configure it with a file or do something clever(*) to add the AWS CA cert bundle to the system-level one that the container is populated with.
OK, this is all moot now... Someone else found the solution, and we can point people to the article about this on the cloud.gov site. I'm leaving this issue open until we add that documentation!
There's code to auto-include appropriate S3 endpoints in the egress proxy config, so proxied apps can still reach their bound S3 buckets. HOWEVER, this code is not enough for
aws s3 ls s3://...
to function properly inside a proxied app.We need to work with cloud.gov and AWS support to figure out what additional hosts beyond the S3 endpoint hostnames must be included in order for
aws s3 ls s3://...
to work.