Closed mruncles closed 3 weeks ago
Thanks for the feature request. Upon discussing with the team, the recommendation here is to install certifi
to get access to newer certs. That should be used by default if it is installed. Further investigation by the team is required involving changes to cacert.pem
, but this feature request is not planned.
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
Describe the feature
Can we add new GlobalSign Root R6 certificate (https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates) to cacert.pem file as it is used by default in aws-cli shipped by amazon? Yes we can override this behavior by env variables, but it's an extra step that can be avoided for publicly acknowleged root certificate.
Use Case
Some custom third-party s3 providers already use new GlobalSign certificates, but we have some inconsistencies with aws-cli v1 and v2, as v1 uses updated certifi with updated certificate list, but v2 still depends on outdated cacert.pem.
Proposed Solution
add GlobalSign Root R6 certificate to cacert.pem
Other Information
No response
Acknowledgements
SDK version used
ALL
Environment details (OS name and version, etc.)
aws-cli/2.15.59 Python/3.11.8 Linux/6.8.0-31-generic exe/x86_64.ubuntu.24