Skip to content
This repository has been archived by the owner on Nov 20, 2018. It is now read-only.

Cannot issue requests #93

Closed
petemounce opened this issue Aug 7, 2014 · 6 comments
Closed

Cannot issue requests #93

petemounce opened this issue Aug 7, 2014 · 6 comments

Comments

@petemounce
Copy link
Contributor

I'm using Windows 8.1, ruby 2.0.0-p451 x86, rubygems 2.3.0, and aws-sdk-core.rc14 (I think the last working version I've used was .rc8, but there are breaking changes between then and 14, so I haven't gone back and tried that to confirm).

I have code like

        Aws.config[:region] = opts[:region]
        personal = Aws::SharedCredentials.new(profile_name: opts[:team], path: "#{Dir.home}/.aws/credentials")
        iam = Aws::IAM::Client.new({
          credentials: personal
        })
        lr = iam.list_roles path_prefix: '/feature_roles/'

My credentials are valid and allow me permission to list roles.

Instead, I get the stack trace (further below).

Googling turned up https://forums.aws.amazon.com/thread.jspa?threadID=85553 - is there a similar option I should be setting in v2? I have never needed to before (apparently an option was added in 1.3.3), and need a bit of help to get past this.

I also found this suggestion for a related monkey patch but haven't tried it.

C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Seahorse::Client::Http::Error)
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/timeout.rb:66:in `timeout'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:857:in `start'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:279:in `start_session'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/connection_pool.rb:102:in `session_for'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:56:in `transmit'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/net_http/handler.rb:27:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/content_length.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/xml/error_handler.rb:8:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/request_signer.rb:79:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:88:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:119:in `retry_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:102:in `retry_if_possible'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/retry_errors.rb:90:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/query/handler.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/response_paging.rb:11:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/aws/plugins/user_agent.rb:12:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/restful_bindings.rb:13:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/endpoint.rb:35:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_validation.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/param_conversion.rb:22:in `call'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/request.rb:70:in `send_request'
        from C:/Ruby/ruby-2.0.0-p481/lib/ruby/gems/2.0.0/gems/aws-sdk-core-2.0.0.rc14/lib/seahorse/client/plugins/operation_methods.rb:43:in `block (2 levels) in add_operation_helpers'
        from C:/src/je/toolbox/lib/toolbox/aws_config_via_sts.rb:10:in `configure_aws'
@petemounce
Copy link
Contributor Author

@petemounce
Copy link
Contributor Author

I have another script taking a dependency on rc10, and that works.

@trevorrowe
Copy link
Contributor

Prior to rc11, the SDK shipped with a SSL CA bundle. This was used when making HTTPS requests to verify the peer SSL certificates.

The SDK now relies on the OpenSSL installation on the system to have the correct cert configured. My guess is your Windows Ruby installation does not have a cert available.

There are two ways to resolve this issue:

  1. disable peer certificate verification.
  2. configure a valid CA bundle

Disabling the peer verification will work, but I strongly recommend against this for security reasons. The SDK feature for disabling this check is primarily for internal testing.

# I strongly recommend never doing this
Aws.config[:ssl_verify_peer] = false

The better solution requires correctly configuring a SSL CA bundle for your system. Most of the time, this happens when you install Ruby. I imagine the Ruby installer is possibly not doing this correctly, or at all. The default behavior for Net::HTTP is to not verify certificates. :(

The following should work:

Aws.config[:ssl_ca_bundle] = '/path/to/ca-bundle.crt'

I found instructions on StackOverflow for how to configure the path to a CA bundle via ENV on windows: http://stackoverflow.com/questions/5720484/how-to-solve-certificate-verify-failed-on-windows#answer-16134586

I'm guessing this would eliminate the need to configure the SDK, and should make it available to OpenSSL by default.

@trevorrowe
Copy link
Contributor

I should also add, that we stopped including a ca bundle for security reasons. Downstream consumers, like linux distro maintainers, that create packages from the SDK prefer for the system cert to be used. Hopefully environments without a default configured cert are un-common. If this is a common problem, we may need to revisit the ensure a good default experience.

@petemounce
Copy link
Contributor Author

@trevorrowe thanks for the detailed response. I went with option 2 - download the bundle, stick it somewhere useful, define an environment variable, and configure the SDK to use the path stored in the env-var.

@pinbot
Copy link

pinbot commented Dec 10, 2014

It's only a 'non issue' once one finds this discussion and how to fix it. So maybe at least some kind of check that produced a more helpful error message would significantly improve the 'default experience'

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants