Has anyone had issues resolving AWS CLI certificate errors when the Netskope Client is enabled? Multiple developers in our org have followed the steps in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/ for AWS CLI V2 and have even tried the older configure_tools.sh file that configures Netskope certs for common tools including AWS CLI. We have not had success in getting this to work.
I'm not a fan of the automated approaches. While they may catch several common tools, they don't do anything to educate the user on how to solve for uncommon tools.
We've published an internal document that explains the issue, and provides sample instructions for the common tools.
We had success after one of our developers did the following:
Download ns_certbundle_aws_cli_v2.sh as referenced in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/
- On line 39 of the script we needed to change: if [ "$custom" = true ] to if [ "$custom" = false ]
Verify the awscertbundlevalue path on line 22 matches your system’s configuration
Create a nskp_config folder in the .aws directory to hold the certificate bundle
mkdir ~/.aws/nskp_configMove the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.
mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_configRun the script:
sh ~/.aws/nskp_config/ns_certbundle_aws_cli_v2.shAssuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.
aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pemAdd ca_bundle = /Users/<user_name>/.aws/nskp_config/netskope-cert-bundle.pem to all profiles in /Users/<user_name>/.aws/config file
Last, we found that in some cases a new ca_bundle line in the ndefault] section in ~/.aws/config was added after the script was run, but needed to be removed as it conflicted with the same ca_bundle line under uprofile default]. Remove this section and keep your profile default] ca_bundle entry.
I'm unable to get to the KB article at this link: https://support.netskope.com/s/article/Addressing-SSL-error-while-accessing-AWS-services-via-the-AWS-CLI-with-the-Netskope-Client-encryption-enabled. Do I need a special Support Portal login? My community login isn't working there.
Reply
Login to the community
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Login with SSO
Employee PartnerEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.