AWS CLI SSL Certificate Errors on macOS

  • 15 August 2023
  • 3 replies
  • 60 views

Badge +5

Has anyone had issues resolving AWS CLI certificate errors when the Netskope Client is enabled? Multiple developers in our org have followed the steps in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/ for AWS CLI V2 and have even tried the older configure_tools.sh file that configures Netskope certs for common tools including AWS CLI. We have not had success in getting this to work. 


3 replies

Userlevel 5
Badge +16

I'm not a fan of the automated approaches.   While they may catch several common tools, they don't do anything to educate the user on how to solve for uncommon tools.

 

We've published an internal document that explains the issue, and provides sample instructions for the common tools.

 



Badge +5

We had success after one of our developers did the following:

  1. Download ns_certbundle_aws_cli_v2.sh as referenced in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/

    1. On line 39 of the script we needed to change: if [ "$custom" = true ] to if [ "$custom" = false ] 
  2. Verify the awscertbundlevalue path on line 22 matches your system’s configuration 

     
  3. Create a nskp_config folder in the .aws directory to hold the certificate bundle

    mkdir ~/.aws/nskp_config
  4. Move the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.

    mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config
  5. Run the script:

    sh ~/.aws/nskp_config/ns_certbundle_aws_cli_v2.sh
  6. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.

    aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem
  7. Add ca_bundle = /Users/<user_name>/.aws/nskp_config/netskope-cert-bundle.pem to all profiles in /Users/<user_name>/.aws/config file

 

Last, we found that in some cases a new ca_bundle line in the [default] section in ~/.aws/config was added after the script was run, but needed to be removed as it conflicted with the same ca_bundle line under [profile default]. Remove this section and keep your [profile default] ca_bundle entry.

I'm unable to get to the KB article at this link: https://support.netskope.com/s/article/Addressing-SSL-error-while-accessing-AWS-services-via-the-AWS-CLI-with-the-Netskope-Client-encryption-enabled. Do I need a special Support Portal login? My community login isn't working there.

Reply