aws / git-remote-codecommit

An implementation of Git Remote Helper that makes it easier to interact with AWS CodeCommit
Apache License 2.0
272 stars 39 forks source link

SSL Inspection - Error #48

Open benthompsoncpi opened 7 months ago

benthompsoncpi commented 7 months ago

We are running SSL inspections on our network, which appears to be causing some issues git-remote-codecommit

It works fine when off the corporate network - when not subject to SSL inspection.

When I try to perform any git action I get an error similar to this:

`Traceback (most recent call last): File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 468, in _make_request self._validate_conn(conn) File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 1097, in _validate_conn conn.connect() File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 642, in connect sock_and_verified = _ssl_wrap_socket_and_match_hostname( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 783, in _ssl_wrap_socket_and_match_hostname ssl_sock = ssl_wrapsocket( ^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 471, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, serverhostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 515, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\ssl.py", line 455, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\ssl.py", line 1046, in _create self.do_handshake() File "C:\Program Files\Python312\Lib\ssl.py", line 1317, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 464, in send urllib_response = conn.urlopen( ^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 845, in urlopen retries = retries.increment( ^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\retry.py", line 445, in increment raise reraise(type(error), error, _stacktrace) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\util.py", line 39, in reraise raise value File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 791, in urlopen response = self._make_request( ^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 492, in _make_request raise new_e urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "", line 198, in _run_module_as_main File "", line 88, in _run_code File "C:\Program Files\Python312\Scripts\git-remote-codecommit.exe__main.py", line 7, in File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit__init.py", line 177, in main authenticated_url = git_url(context.repository, context.version, context.region, context.credentials) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit\init.py", line 207, in git_url token = '%' + credentials.token if credentials.token else '' ^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 455, in token self._refresh() File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 522, in _refresh self._protected_refresh(is_mandatory=is_mandatory_refresh) File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 538, in _protected_refresh metadata = self._refresh_using() ^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 685, in fetch_credentials return self._get_cached_credentials() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 695, in _get_cached_credentials response = self._get_credentials() ^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 2160, in _get_credentials response = client.get_role_credentials(kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 553, in _api_call return self._make_api_call(operation_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 989, in _make_api_call http, parsed_response = self._make_request( ^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 1015, in _make_request return self._endpoint.make_request(operation_model, request_dict) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 119, in make_request return self._send_request(request_dict, operation_model) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 202, in _send_request while self._needs_retry( ^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 354, in _needs_retry responses = self._event_emitter.emit( ^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 412, in emit return self._emitter.emit(aliased_event_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 256, in emit return self._emit(event_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 239, in _emit response = handler(**kwargs) ^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 207, in call if self._checker(**checker_kwargs): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 284, in call should_retry = self._should_retry( ^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 320, in _should_retry return self._checker(attempt_number, response, caught_exception) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 363, in call__ checker_response = checker( ^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 247, in call__ return self._check_caught_exception( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 416, in _check_caught_exception raise caught_exception File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 281, in _do_get_response http_response = self._send(request) ^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 377, in _send return self.http_session.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 491, in send raise SSLError(endpoint_url=request.url, error=e) botocore.exceptions.SSLError: SSL validation failed for https://portal.sso.eu-west-2.amazonaws.com/federation/credentials?role_name=&account_id=[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)`

The certificates for our SSL inspection are installed in the Windows Certificate Store and I also have access to the certificate.

Any help would be appreciated. My preference would be to trust the certificates from our SSL inspection, rather than bypass SSL certificate verification