Netskope Global Technical Success (GTS)
Using AWS CLI with Netskope: Handling SSL Certificate Errors in MacOS 15.5 with AWS CLI V2
Netskope Cloud Version - 126
Objective
Provide the necessary steps to resolve the SSL error when using AWS CLI V2 on MacOS 15.5 with the Netskope client enabled.
Prerequisite
Use AWS CLI V2 through terminal on MacOS 15.5. NGSWG must be enabled as part of the licensing. Netskope Client should be enabled.
Context
SSL certificate errors occur when running AWS CLI commands with the Netskope agent active.
Configuration
With the Netskope client enabled, certificate errors occur when using AWS CLI with certain commands, as shown below:
If the agent is disabled, the errors disappear and the tool works correctly. The process is based on the following Netskope documentation:
https://docs.netskope.com/en/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/
Important: The AWS CLI V2 allows the installation either globally for all users or for the current user. Depending on the option selected, the path where the installation occurs differs. For global installation, the script assumes that the installation path is the default one which is: /usr/local/aws-cli
The next step is to create the folder that will contain the bundle certificate. Use the following command:
mkdir ~/.aws/nskp_config
The next step is to move the script from its current location to the newly created folder.
In this example, the script is located on the Downloads folder (please change it in the command). You should move it using the following command:
mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config
Then, please make sure to grant execution permissions to the script using the following command:
Finally, you need to run the script to generate the .PEM file:
Once the file is in place, run the following command to load the certificate and ensure AWS CLI functions correctly:
aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem
Next, tests should be performed with the Netskope agent enabled to confirm that certificate errors no longer occur.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
- It is very important to review the official document: https://docs.netskope.com/en/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/ to check for any changes in the scripts and to consider other important points of the overall procedure.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
