Amazon Q and SSL Interception not working in IntelliJ

[sbourell]

Describe the bug Hello, I am trying to use Amazon Q in IntelliJ but it is not working with our SSL Interception activated. My entreprise uses ZScaler (yes I know....), and I found the #1009 some informations but it didn't works. I added the root certificate in IntelliJ store, but Amazon Q still refuses to work :

An error occurred while processing your request.
This error is reported to the team automatically. We will attempt to fix it as soon as possible.

Details: 
Unable to execute HTTP request: javax.net.ssl.SSLHandshakeException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

Session ID: null

To reproduce

1. Install Amazon Q on IntelliJ
2. Activate your SSL Interception program (in my case ZScaler)
3. Add the root certificate in IntelliJ trusted store
4. Reboot the IDE to be sure it is taken into account
5. Try Amazon Q

Expected behavior It should be working as on the #1009 it is said that AWS Toolkit is now using correctly the IntelliJ trusted store.

Screenshots

Your Environment

• OS: Windows 10, all patches applied
• JetBrains product: IntelliJ IDEA Community Edition
• JetBrains product version: 2024.1
• AWS Toolkit version: 2.19-241
• SAM CLI version: 2.15.40
• Python version: 3.11.8

Thank you for your help!

[vp380]

I am experiencing the same issue! Is there a resolution ?

[sbourell]

I am experiencing the same issue! Is there a resolution ?

@vp380 There is no resolution on this ticket for now but I found a workaround.

As the AWS plugin ignore the certificate installed from the GUI, you can instead import the Zscaler certificate (or any root certificate) directly into the bundled Java Keystore of IntelliJ.

To do so :

1. Open a command prompt as admin
2. cd to IntelliJ installation directory
3. Execute the following command : .\jbr\bin\keytool.exe -import -noprompt -keystore .\jbr\lib\security\cacerts -storepass changeit -alias ZscalerRootCA -file PATH_TO_YOUR\zscaler.pem And yes, changeit is the real password of the Keystore, and contrary to what the password states, I think that it should be a bad idea to change it.

Useful commands :

• List certificates : .\jbr\bin\keytool.exe -list -keystore .\jbr\lib\security\cacerts
• Remove certificate : .\jbr\bin\keytool.exe -delete -storepass changeit -alias ZscalerRootCA -keystore .\jbr\lib\security\cacerts (alias is foundable with the list command)

PS : One downside of this method, is that it is on the installation directory so I think that it will be erased at the next update of IntelliJ.

[louiswebdev]

@vp380 There is no resolution on this ticket for now but I found a workaround. @sbourell which also worked very well under MacOS (paths are slightly different of course)

In my case:

cd /Applications/PyCharm\ CE.app/Contents
jbr/Contents/Home/bin/keytool -import -noprompt -keystore ./jbr/Contents/Home/lib/security/cacerts -storepass changeit -alias NameOfCa -file PATH_TO_CERTFILE/cacert.pem

I then had to restart PyCharm.

[louiswebdev]

I found another downside: a modified cacerts file breaks the PyCharm updater - you need to make a copy of the original file and put it back in place before upgrading.