Netskope Global Technical Success (GTS)

Using AWS CLI with Netskope: Handling SSL Certificate Errors in Ubuntu 22/24 with AWS CLI V2
 

Netskope Cloud Version - 126

Objective

Provide the necessary steps to resolve the SSL error when using AWS CLI V2 on Ubuntu 22 and 24 with the Netskope client enabled.

Prerequisite

Use AWS CLI V2 through terminal on Ubuntu 22 and 24. NGSWG must be enabled as part of the licensing. Netskope Client should be enabled.

Context

SSL certificate errors occur when running AWS CLI commands with the Netskope agent active.

Configuration

With the Netskope client enabled, certificate errors occur when using AWS CLI with certain commands, as shown below:

If the agent is disabled, the errors disappear and the tool works correctly. The process is based on the following Netskope documentation:
https://docs.netskope.com/en/addressing-ssl-error-while-accessing-aws-services-via-the-aws-cli-with-the-netskope-client-enabled/

However, Linux systems such as Ubuntu are not currently supported or documented. This guide outlines the steps to follow based on lab tests and manual modifications made to the script in order to make it functional on Ubuntu systems. As a result, the script used here cannot be downloaded from our official website.

The first step is to download the script that generates the required .PEM file to load the certificate into AWS CLI. To do this, please use the script file attached to this document. Place the script in any directory within the Ubuntu system. For example, you can use the Desktop.

It is essential to modify the following line in the script to specify the exact version of AWS CLI installed; otherwise, the script will not work. To check the current AWS CLI version, run the command:

aws --version

Once the version is known, open the script and update the version in the corresponding line to ensure the variable correctly locates the path.

Important: The AWS CLI V2 allows the installation either globally for all users or for the current user. Depending on the option selected, the path where the installation occurs differs. For global installation, the script assumes that the installation path is the default one which is: /usr/local/aws-cli

The next step is to create the folder that will contain the bundle certificate. Use the following command:

mkdir ~/.aws/nskp_config

The next step is to move the script from its current location to the newly created folder.

In this example, the script is located on the Desktop (please change it in the command). You should move it using the following command:

mv /home/juan/Desktop/ns_certbundle_aws_cli_v2_ubuntu.sh ~/.aws/nskp_config

Then, please make sure to grant execution permissions to the script using the following command:

Finally, you need to run the script to generate the .PEM file:

Once the file is in place, run the following command to load the certificate and ensure AWS CLI functions correctly:

aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem

Next, tests should be performed with the Netskope agent enabled to confirm that certificate errors no longer occur.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
• Ubuntu is not officially supported or tested internally at Netskope. The steps described above are based on trials conducted in controlled lab environments. The script was manually modified and adjusted to work specifically on Linux Ubuntu systems, particularly versions 22 and 24. It is strongly recommended to run this script on test devices to confirm its functionality. In case of issues, since Ubuntu is not officially supported by our platform, our support team may not be able to assist.
• It is also important to note that during lab testing, an upgrade of AWS CLI V2 did not impact the certificate procedure. The script was successfully tested after upgrading AWS CLI V2 from version 2.27.19 to 2.27.22, and AWS CLI worked as expected with the Netskope client installed.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.