"Connect to AWS" error: unable to get local issuer certificate

[MatthiasPdx]

Describe the bug

Error suggesting invalid profile on machine with existing credentials file in use with aws cli

To Reproduce

After installing and ctrl+shift+p -> connect to AWS on a machine that already has a credentials file in the home directory, the user is given a list of profiles in the credentials file. Selecting either of my profiles returns an error "Credentials profile is invalid"

Expected behavior

AWS connects to that profile.

Screenshots

Desktop (please complete the following information):

• OS: Windows 10
• Visual Studio Code Version: Version: 1.41.1 (user setup) Commit: 26076a4de974ead31f97692a0d32f90d735645c0 Date: 2019-12-18T14:58:56.166Z Electron: 6.1.5 Chrome: 76.0.3809.146 Node.js: 12.4.0 V8: 7.6.303.31-electron.0 OS: Windows_NT x64 10.0.17763
• AWS Toolkit for Visual Studio Code Version: 1.5.0

Additional context

F:\>sam --version
SAM CLI, version 0.13.0

F:\>aws --version
aws-cli/1.17.4 Python/3.6.0 Windows/10 botocore/1.14.4

F:\>aws s3 ls
2019-12-03 14:38:40 andrew-test-s3-bucket

F:\>aws s3 ls --profile dev
2020-01-08 08:13:27 admstest

I read through https://github.com/aws/aws-toolkit-vscode/issues/705 which shows the same symptoms but following the recommended steps of reinstalling the latest VSCode, restarting it and having lower case credential key names didn't work for me.

Here is the content of my credential file with altered keys:

[default]
aws_access_key_id = BKDLSKEJFLKASKJFKELS
aws_secret_access_key = adklsfjASDfksa2+akdzADSFwekfasdfjslkedsf
[sand]
aws_access_key_id = BKDLSKEJFLKASKJFKELS
aws_secret_access_key = adklsfjASDfksa2+akdzADSFwekfasdfjslkedsf
[dev]
aws_access_key_id = SKDASDLFKJSKSKJFKELT
aws_secret_access_key = fasdfjslkedadklsfjASDfksa2+akdzADSFweksf

Please let me know if you have any suggestions.

Thank you!

[justinmk3]

• Are you a new user, or did this work with a previous version? (Wondering if this is a regression)
• https://github.com/aws/aws-toolkit-vscode/pull/888 may help, it's not in 1.5

[MatthiasPdx]

Hi Justin, I'm not a new user. Before 1.5, I used 1.3...something and it didn't work then either. I have never gotten it to work nor anybody of my friends. Therefore, I don't think it's a regression.

Can you elaborate on how I can apply #888? Is this fix going to be part of a public version soon?

Thank you!

[justinmk3]

888? Is this fix going to be part of a public version soon?

Yes.

[awschristou]

Hi @MatthiasPdx when the next toolkit is released, if your issue is not resolved, it should at least have more verbose logging that you will be able to share in the issue to better identify the issue.

To confirm, are the credentials contents you have shared in the original post located in ~/.aws/credentials or ~/.aws/config ? If they aren't in ~/.aws/credentials I recommend renaming the file to that first, and restarting VS Code to see if the toolkit has success in using the profiles.

[MatthiasPdx]

@awschristou, yes I have my files

• config and
• credentials as well as my
• cryptographic keys as .pem file for the ca_bundle reference in aws config in C:\Users\MyName.aws

I'll be waiting for the next version of the toolkit to report back. Thank you!

[awschristou]

The toolkit v1.6.0 is now released. It contains verbose logging when selecting credentials in the toolkit.

If you continue to get errors when trying to use credentials in the toolkit, set your AWS Toolkit logging to verbose, then try to select credentials in the toolkit. The generated logs should help to explain if the credentials were considered invalid.

I'll leave this ticket open a short while in case you have a chance to try it out and report back.

[MatthiasPdx]

Thank you! I updated, reloaded VSC and connected with verbose logging. I'm still seeing the error. The logs show:

Error: unable to get local issuer certificate at TLSSocket.onConnectSecure (_tls_wrap.js:1317:34) at TLSSocket.emit (events.js:200:13) at TLSSocket.EventEmitter.emit (domain.js:471:20) at TLSSocket._finishInit (_tls_wrap.js:792:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:606:12)

Full log: aws_toolkit_20200207T155025.log

Do you have a suggestion as to what I should try? Again, aws cli is working from command-line form the same machine so connection can be established in general.

Thank you for looking into it.

[justinmk3]

Sounds like https://github.com/aws/aws-toolkit-vscode/issues/917

[MatthiasPdx]

@justinmk3, the user in #917 describes "After connecting to AWS, I try to expand...". For me the error shows earlier after clicking on 'Connect to AWS' and 'profile:default.

[justinmk3]

Error: unable to get local issuer certificate

From https://github.com/nodejs/node/issues/3742#issuecomment-155546646 ,

The error itself just means that a TLS certificate in the chain is signed by an unknown CA, presumably the cert your proxy uses.

@MatthiasPdx are you on a corporate managed computer or network?

• Do you know if it's configured to use a proxy?
• Or a custom CA or root certificate?
• Are you setting HTTP_PROXY or HTTPS_PROXY environment variables?

Related vscode doc: https://code.visualstudio.com/updates/v1_30#_network-proxy-support-for-extensions

VScode exposes some related settings:

• http.proxy
• http.proxyAuthorization
• http.proxyStrictSSL: you can set this to false (security risk), and see if that fixes the issue. But a better solution is to fix your certificate chain.
• http.proxySupport
• http.systemCertificates

What are the values of those settings in your vscode?

Tracking issue: https://github.com/aws/aws-toolkit-vscode/issues/185

[lmayorga1980]

I am running into the same issue. Anyone tried squid locally to handle a custom CA bundle?

• Do you know if it's configured to use a proxy? NO
• Or a custom CA or root certificate? YES
• Are you setting HTTP_PROXY or HTTPS_PROXY environment variables? NO

[justinmk3]

@lmayorga1980 are you able to answer the questions above: https://github.com/aws/aws-toolkit-vscode/issues/899#issuecomment-589500847

[irishgordo]

Is there any update on this by chance?

I'm seeing still the similar issue:

2020-06-01 11:20:58 [ERROR]: Error trying to connect to AWS with Credentials Provider profile:default. Toolkit will now disconnect from AWS. [Error: ENOENT: no such file or directory, open '/~/.aws/credentials'
    at Object.openSync (fs.js:447:3)
    at Object.func (electron/js2c/asar.js:140:31)
    at Object.func [as openSync] (electron/js2c/asar.js:140:31)
    at Object.readFileSync (fs.js:349:35)
    at Object.fs.readFileSync (electron/js2c/asar.js:542:40)
    at Object.fs.readFileSync (electron/js2c/asar.js:542:40)
    at Object.readFileSync (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:106298)
    at constructor.o [as parseFile] (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:972231)
    at constructor.loadFrom (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:972660)
    at Object.getProfilesFromSharedConfig (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:119539)
    at constructor.load (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:2018768)
    at constructor.coalesceRefresh (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:968205)
    at constructor.refresh (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:2019720)
    at constructor.get (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:968031)
    at e (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:969255)
    at constructor.resolve (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:969299)
    at /Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:117753
    at new Promise (<anonymous>)
    at constructor.resolvePromise (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:117690)
    at f.<anonymous> (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:686763)
    at Generator.next (<anonymous>)
    at /Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:685304
    at new Promise (<anonymous>)
    at n (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:685049)
    at f.getCredentials (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:686458)
    at t.CredentialsStore.<anonymous> (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:6301739)
    at Generator.next (<anonymous>)
    at o (/Users/mike.russell/.vscode/extensions/amazonwebservices.aws-toolkit-vscode-1.10.0/dist/extension.js:2:6301158)] {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/~/.aws/credentials'
}

[justinmk3]

are you able to answer the questions above: #899 (comment)

[eugenevd]

@irishgordo

For what it's worth, I've just had the same error as the OP

$ code --version
1.51.1
e5a624b788d92b8d34d1392e4c4d9789406efe8f
x64
$ aws --version
aws-cli/1.18.180 Python/3.6.9 Linux/5.4.0-53-generic botocore/1.19.20

AWS Toolkit 1.15.0

What solved the problem for me was to change the profile entries in ~/.aws/config from [profileX] to [profile profileX]

[irishgordo]

@eugenevd that's pretty clever!

The workstation that I was using where I had seen that previous error I no longer have in my possession. So on my end, I'm not able to provide any updates on this, apologies. Perhaps this is a non-issue / this issue can be closed?

[AbhilashPurohith]

Go to Visual Studio -> Settings icon -> Settings -> search for Proxy -> Remove http proxy if any -> uncheck Http: Proxy Strict SSL -> restart Visual studio code

This solved my problem.

If at all you are not able to do it. Try removing proxy from settings.. Go out of VPN and then try it again.

Or else check if u are setting any http proxy in your environmental variables. Remove it and try

[alxrdn]

hi

@MatthiasPdx did you find any way to have aws-toolkit-vscode accept and use a custom CA ? (sorry for digging, but it seems the problem remains 2 years later...)

I have the exact same problem : Do you know if it's configured to use a proxy? YES Or a custom CA or root certificate? YES Are you setting HTTP_PROXY or HTTPS_PROXY environment variables? YES

2022-01-11 15:33:41 [ERROR]: Error getting AccountId: [Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket.EventEmitter.emit (domain.js:467:12)
    at TLSSocket._finishInit (_tls_wrap.js:932:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)] {
  code: 'NetworkingError',
  region: 'eu-west-1',
  hostname: 'sts.eu-west-1.amazonaws.com',
  retryable: true,
  time: 2022-01-11T14:33:41.436Z
}

[justinmk3]

did you find any way to have aws-toolkit-vscode accept and use a custom CA ? 2022-01-11 15:33:41 [ERROR]: Error getting AccountId: [Error: unable to get local issuer certificate

@alxrdn That means vscode/nodejs/electron can't find the configured certificates on the system. On Windows, this vscode extension may help (not associated with AWS): https://marketplace.visualstudio.com/items?itemName=ukoloff.win-ca