This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

AWS CLI SSL Certificate Errors on macOS

csword
New Contributor II

‎08-14-2023 04:47 PM

Has anyone had issues resolving AWS CLI certificate errors when the Netskope Client is enabled? Multiple developers in our org have followed the steps in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-whi... for AWS CLI V2 and have even tried the older configure_tools.sh file that configures Netskope certs for common tools including AWS CLI. We have not had success in getting this to work. 

Labels:
0 Likes
2 Replies 2
qyost
Contributor III

‎08-15-2023 02:28 PM

I'm not a fan of the automated approaches.   While they may catch several common tools, they don't do anything to educate the user on how to solve for uncommon tools.

 

We've published an internal document that explains the issue, and provides sample instructions for the common tools.

qyost_0-1692134856983.png

 



--
-Q.
0 Likes
csword
New Contributor II

a week ago

We had success after one of our developers did the following:

  1. Download ns_certbundle_aws_cli_v2.sh as referenced in https://docs.netskope.com/en/netskope-help/traffic-steering/netskope-client/addressing-ssl-error-whi...

    1. On line 39 of the script we needed to change: if [ "$custom" = true ] to if [ "$custom" = false ] 

  2. Verify the awscertbundlevalue path on line 22 matches your system’s configuration 

     

  3. Create a nskp_config folder in the .aws directory to hold the certificate bundle

    mkdir ~/.aws/nskp_config

  4. Move the downloaded script ‘ns_certbundle_aws_cli_v2.sh’ to the config folder.

    mv ~/Downloads/ns_certbundle_aws_cli_v2.sh ~/.aws/nskp_config

  5. Run the script:

    sh ~/.aws/nskp_config/ns_certbundle_aws_cli_v2.sh

  6. Assuming the rest of the configuration is already in place, run this command to set the cert bundle in the aws config. Change cert bundle paths on.

    aws configure set default.ca_bundle ~/.aws/nskp_config/netskope-cert-bundle.pem

  7. Add ca_bundle = /Users/<user_name>/.aws/nskp_config/netskope-cert-bundle.pem to all profiles in /Users/<user_name>/.aws/config file

 

Last, we found that in some cases a new ca_bundle line in the [default] section in ~/.aws/config was added after the script was run, but needed to be removed as it conflicted with the same ca_bundle line under [profile default]. Remove this section and keep your [profile default] ca_bundle entry.

0 Likes
Subscribe
Labels

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In