We are running SSL inspections on our network, which appears to be causing some issues git-remote-codecommit
It works fine when off the corporate network - when not subject to SSL inspection.
When I try to perform any git action I get an error similar to this:
`Traceback (most recent call last):
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 468, in _make_request
self._validate_conn(conn)
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 1097, in _validate_conn
conn.connect()
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 642, in connect
sock_and_verified = _ssl_wrap_socket_and_match_hostname(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 783, in _ssl_wrap_socket_and_match_hostname
ssl_sock = ssl_wrapsocket(
^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 471, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, serverhostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 515, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\ssl.py", line 455, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\ssl.py", line 1046, in _create
self.do_handshake()
File "C:\Program Files\Python312\Lib\ssl.py", line 1317, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 464, in send
urllib_response = conn.urlopen(
^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 845, in urlopen
retries = retries.increment(
^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\retry.py", line 445, in increment
raise reraise(type(error), error, _stacktrace)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\util.py", line 39, in reraise
raise value
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 791, in urlopen
response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 492, in _make_request
raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "C:\Program Files\Python312\Scripts\git-remote-codecommit.exe__main.py", line 7, in
File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit__init.py", line 177, in main
authenticated_url = git_url(context.repository, context.version, context.region, context.credentials)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit\init.py", line 207, in git_url
token = '%' + credentials.token if credentials.token else ''
^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 455, in token
self._refresh()
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 522, in _refresh
self._protected_refresh(is_mandatory=is_mandatory_refresh)
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 538, in _protected_refresh
metadata = self._refresh_using()
^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 685, in fetch_credentials
return self._get_cached_credentials()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 695, in _get_cached_credentials
response = self._get_credentials()
^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 2160, in _get_credentials
response = client.get_role_credentials(kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 553, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 989, in _make_api_call
http, parsed_response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 1015, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 119, in make_request
return self._send_request(request_dict, operation_model)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 202, in _send_request
while self._needs_retry(
^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 354, in _needs_retry
responses = self._event_emitter.emit(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 412, in emit
return self._emitter.emit(aliased_event_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 256, in emit
return self._emit(event_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 239, in _emit
response = handler(**kwargs)
^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 207, in call
if self._checker(**checker_kwargs):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 284, in call
should_retry = self._should_retry(
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 320, in _should_retry
return self._checker(attempt_number, response, caught_exception)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 363, in call__
checker_response = checker(
^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 247, in call__
return self._check_caught_exception(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 416, in _check_caught_exception
raise caught_exception
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 281, in _do_get_response
http_response = self._send(request)
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 377, in _send
return self.http_session.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 491, in send
raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://portal.sso.eu-west-2.amazonaws.com/federation/credentials?role_name=&account_id=[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)`
The certificates for our SSL inspection are installed in the Windows Certificate Store and I also have access to the certificate.
Any help would be appreciated. My preference would be to trust the certificates from our SSL inspection, rather than bypass SSL certificate verification
We are running SSL inspections on our network, which appears to be causing some issues git-remote-codecommit
It works fine when off the corporate network - when not subject to SSL inspection.
When I try to perform any git action I get an error similar to this:
`Traceback (most recent call last): File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 468, in _make_request self._validate_conn(conn) File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 1097, in _validate_conn conn.connect() File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 642, in connect sock_and_verified = _ssl_wrap_socket_and_match_hostname( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connection.py", line 783, in _ssl_wrap_socket_and_match_hostname ssl_sock = ssl_wrapsocket( ^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 471, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, serverhostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\ssl.py", line 515, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\ssl.py", line 455, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\ssl.py", line 1046, in _create self.do_handshake() File "C:\Program Files\Python312\Lib\ssl.py", line 1317, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 464, in send urllib_response = conn.urlopen( ^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 845, in urlopen retries = retries.increment( ^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\retry.py", line 445, in increment raise reraise(type(error), error, _stacktrace) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\util\util.py", line 39, in reraise raise value File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 791, in urlopen response = self._make_request( ^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python312\Lib\site-packages\urllib3\connectionpool.py", line 492, in _make_request raise new_e urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "C:\Program Files\Python312\Scripts\git-remote-codecommit.exe__main.py", line 7, in
File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit__init.py", line 177, in main
authenticated_url = git_url(context.repository, context.version, context.region, context.credentials)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\git_remote_codecommit\init.py", line 207, in git_url
token = '%' + credentials.token if credentials.token else ''
^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 455, in token
self._refresh()
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 522, in _refresh
self._protected_refresh(is_mandatory=is_mandatory_refresh)
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 538, in _protected_refresh
metadata = self._refresh_using()
^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 685, in fetch_credentials
return self._get_cached_credentials()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 695, in _get_cached_credentials
response = self._get_credentials()
^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\credentials.py", line 2160, in _get_credentials
response = client.get_role_credentials(kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 553, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 989, in _make_api_call
http, parsed_response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\client.py", line 1015, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 119, in make_request
return self._send_request(request_dict, operation_model)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 202, in _send_request
while self._needs_retry(
^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 354, in _needs_retry
responses = self._event_emitter.emit(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 412, in emit
return self._emitter.emit(aliased_event_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 256, in emit
return self._emit(event_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\hooks.py", line 239, in _emit
response = handler(**kwargs)
^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 207, in call
if self._checker(**checker_kwargs):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 284, in call
should_retry = self._should_retry(
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 320, in _should_retry
return self._checker(attempt_number, response, caught_exception)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 363, in call__
checker_response = checker(
^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 247, in call__
return self._check_caught_exception(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\retryhandler.py", line 416, in _check_caught_exception
raise caught_exception
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 281, in _do_get_response
http_response = self._send(request)
^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\endpoint.py", line 377, in _send
return self.http_session.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\botocore\httpsession.py", line 491, in send
raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://portal.sso.eu-west-2.amazonaws.com/federation/credentials?role_name=&account_id=[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)`
The certificates for our SSL inspection are installed in the Windows Certificate Store and I also have access to the certificate.
Any help would be appreciated. My preference would be to trust the certificates from our SSL inspection, rather than bypass SSL certificate verification