AWS_CA_BUNDLE support - Githubissues

apex / up

Deploy infinitely scalable serverless apps, apis, and sites in seconds to AWS.

https://up.docs.apex.sh

MIT License

8.79k stars 378 forks source link

AWS_CA_BUNDLE support #621

Open MuksSharma opened 6 years ago

MuksSharma commented 6 years ago

Prerequisites

[x] I am running the latest version. (up upgrade)
[x] I searched to see if the issue already exists.
[x] I inspected the verbose debug output with the -v, --verbose flag.
[x] Are you an Up Pro subscriber?

Description

up commands not moving past the step shown in verbose mode ⠼ 20.501s DEBU flush age above_duration=6h0m0s above_size=50 age=183h37m57.039938438s size=8

Describe the bug or feature. CLI non-responsive

Steps to Reproduce

I was able to get it working after I got off VPN which means it might be some internal network filtering causing the issue. Does up support passing a custom CA bundle as env variable or as a flag?

Describe the steps required to reproduce the issue if applicable.

Love Up?

Please consider signing up for Up Pro (https://up.docs.apex.sh/#guides.subscribing_to_up_pro) or donating via https://opencollective.com/apex-up/donate.

Slack

Join us on Slack https://chat.apex.sh/

tj commented 6 years ago

As a quick fix maybe try touch ~/.up/disable to disable the analytics, but I should add a ~200ms timeout there regardless!

MuksSharma commented 6 years ago

@tj Thanks for the tip. That allowed me to move past the analytics stage, and showing the real issue which as I suspected is due to corporate network filtering/decrypting SSL certs. 3ms DEBU up version 0.5.9-pro (os: darwin, arch: amd64) ⠋ 0s DEBU 1 regions from config ⠇ 901ms DEBU 1 regions from config Error: initializing: loading secrets: RequestError: send request failed caused by: Post https://ssm.us-east-1.amazonaws.com/: x509: certificate signed by unknown authority Is there a way to supply the cert bundle to up similar to what we use for aws cli using env var AWS_CA_BUNDLE?

tj commented 6 years ago

Sounds like the AWS SDK for Go supports AWS_CA_BUNDLE by default, I never use a VPN personally so I can't confirm at the moment but I see it in the documentation

MuksSharma commented 6 years ago

@tj That's great. Does this mean up needs changes to accommodate this? I should have clarified; VPN is not the core of the issue, it is the interception of SSL traffic for purposes of decryption used primarily to protect corporate networks. This is accomplished by supplying a custom CA bundle for all SSL connections.

tj commented 6 years ago

It sounds like AWS_CA_BUNDLE should work as-is and be picked up if it's defined, I'm not seeing any manual way to enable it, but I'll do some digging! Definitely seems supported—you didn't have any luck just defining AWS_CA_BUNDLE?

akelleymm commented 6 years ago

Can confirm. AWS_CA_BUNDLE does not resolve this issue alone.

freeeve commented 6 years ago

I'm hitting this error at the deploy stage; tried setting AWS_CA_BUNDLE and touch ~/.up/disable, but it's still not working:

     6ms     DEBU hook deploy is not defined
   ⠸ 912ms   DEBU checking for role
     963ms   DEBU checking for role
   ⠼ 0s      DEBU event deploy.complete map[duration:1.420082947s commit: stage:staging]
     Error: deploying: iam: fetching role: RequestError: send request failed
caused by: Post https://iam.amazonaws.com/: x509: certificate signed by unknown authority

I'm not on a vpn, but behind a corporate firewall.

tj commented 6 years ago

I'll try to figure out why it's not picking up AWS_CA_BUNDLE, I'm not too familiar with corporate firewalls so it might be hard for me to verify, but maybe it's some config I missed