Use System Root CA Store on Windows

[grochoge]

Is your feature request related to a problem? Please describe. Yes. I am on Windows behind a corporate proxy server that does SSL interception. The root CA of the proxy TLS MITM is in the Windows trusted root CA store. However when I try to issue some commands, I get: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

Describe the solution you'd like The CLI should trust the Windows root CA store rather than solely relying on a certificate bundle installed with the application. The pip package python-certifi-win32 does this for the requests library, although it still doesn't fix aws cli v1.

Describe alternatives you've considered I don't want to skip SSL verification since that's dangerous. I see the AWS_CA_BUNDLE option is provided but it's not clear from the documentation if this adds to or replaces the default trust store. It's also duplication of the trust store already provided by the OS.

[kdaily]

Hi @grochoge, the AWS_CA_BUNDLE replaces the default certificate bundle to use. I think that this is the feature you would want to use in this scenario, if you know the path to the certificate bundle.

If you have the certifi package installed, the CLI uses that to get the certificate bundle:

https://github.com/boto/botocore/blob/develop/botocore/httpsession.py#L38-L42

If I understand your description, having python-certifi-win32 should in theory work. You can see in the --debug logs a line that prints the certificate bundle being loaded. Can you confirm what you see when you have these packages installed on Windows?

A caveat is that this would work on AWS CLI v1, but not on v2's self contained installation - there isn't a way to get other packages to play nicely with certifi. We have ongoing work to provide a source installation for the v2 client.

As far as adding that as a feature, it would need cross-SDK discussion and approval to change the certificate provider strategy.

Let me know if you have more details on the certificate bundle you see in the debug logs!

[github-actions[bot]]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[MLaunch]

Still appears to be an issue in cli-v2.

[tomaszkrzyzanowski]

https://pypi.org/project/python-certifi-win32/

Seems like this package is obsolete, and the mentioned alternative (https://pypi.org/project/pip-system-certs/) is not suitable for general use

Or at least not working for me with AWS cli

edit: just realized that AWS cli v2 is an exe instead of regular pip package and might use it's own python

[Liz4v]

Hi @grochoge, the AWS_CA_BUNDLE replaces the default certificate bundle to use. I think that this is the feature you would want to use in this scenario, if you know the path to the certificate bundle.

This is a very suboptimal solution because corporate MITM TLS proxies come pre-configured. They work transparently with all browsers and other API-enabled tools like DB applications and most code package managers. Why would anyone distrust the system CA store yet continue to wish to use the system? I can't think of a threat model that makes sense.