Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure the AWS_CA_BUNDLE environment variable #34

Merged
merged 1 commit into from
Dec 19, 2024
Merged

Configure the AWS_CA_BUNDLE environment variable #34

merged 1 commit into from
Dec 19, 2024

Conversation

mcdonnnj
Copy link
Contributor

This environment variable is used by AWS tools (AWS CLI, Botocore, etc.) to specify a path to a certificate bundle for use for HTTPS certificate validation. We experienced the following error with the current release of this Action:

Traceback (most recent call last):
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connectionpool.py\", line 466, in _make_request
    self._validate_conn(conn)
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connectionpool.py\", line 1095, in _validate_conn
    conn.connect()
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connection.py\", line 730, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connection.py\", line 909, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/util/ssl_.py\", line 469, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/util/ssl_.py\", line 513, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/ssl.py\", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/ssl.py\", line 1041, in _create
    self.do_handshake()
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/ssl.py\", line 1319, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/httpsession.py\", line 464, in send
    urllib_response = conn.urlopen(
                      ^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connectionpool.py\", line 843, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/util/retry.py\", line 449, in increment
    raise reraise(type(error), error, _stacktrace)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/util/util.py\", line 39, in reraise
    raise value
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connectionpool.py\", line 789, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/urllib3/connectionpool.py\", line 490, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py\", line 554, in bucket_check
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py\", line 105, in deciding_wrapper
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py\", line 119, in _retry_wrapper
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py\", line 68, in _retry_func
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/client.py\", line 569, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/client.py\", line 1005, in _make_api_call
    http, parsed_response = self._make_request(
                            ^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/client.py\", line 1029, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/endpoint.py\", line 119, in make_request
    return self._send_request(request_dict, operation_model)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/endpoint.py\", line 200, in _send_request
    while self._needs_retry(
          ^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/endpoint.py\", line 360, in _needs_retry
    responses = self._event_emitter.emit(
                ^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/hooks.py\", line 412, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/hooks.py\", line 256, in emit
    return self._emit(event_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/hooks.py\", line 239, in _emit
    response = handler(**kwargs)
               ^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 207, in __call__
    if self._checker(**checker_kwargs):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 284, in __call__
    should_retry = self._should_retry(
                   ^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 320, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 363, in __call__
    checker_response = checker(
                       ^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 247, in __call__
    return self._check_caught_exception(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/retryhandler.py\", line 416, in _check_caught_exception
    raise caught_exception
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/endpoint.py\", line 279, in _do_get_response
    http_response = self._send(request)
                    ^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/endpoint.py\", line 383, in _send
    return self.http_session.send(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/opt/hostedtoolcache/Python/3.12.8/x64/lib/python3.12/site-packages/botocore/httpsession.py\", line 491, in send
    raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://***.s3.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File \"/home/runner/.ansible/tmp/ansible-tmp-1734113966.717507-9951-146204688662132/AnsiballZ_s3_object.py\", line 107, in <module>
    _ansiballz_main()
  File \"/home/runner/.ansible/tmp/ansible-tmp-1734113966.717507-9951-146204688662132/AnsiballZ_s3_object.py\", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/home/runner/.ansible/tmp/ansible-tmp-1734113966.717507-9951-146204688662132/AnsiballZ_s3_object.py\", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.amazon.aws.plugins.modules.s3_object', init_globals=dict(_module_fqn='ansible_collections.amazon.aws.plugins.modules.s3_object', _modlib_path=modlib_path),
  File \"<frozen runpy>\", line 226, in run_module
  File \"<frozen runpy>\", line 98, in _run_module_code
  File \"<frozen runpy>\", line 88, in _run_code
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py\", line 1607, in <module>
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py\", line 1580, in main
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py\", line 1447, in validate_bucket
  File \"/tmp/ansible_amazon.aws.s3_object_payload_yyhw7smb/ansible_amazon.aws.s3_object_payload.zip/ansible_collections/amazon/aws/plugins/modules/s3_object.py\", line 576, in bucket_check
S3ObjectFailure: Failed while looking up bucket '***' (during bucket_check).
", "module_stdout": "", "msg": "MODULE FAILURE
See stdout/stderr for the exact error

With this branch used the same workflow completes with no issue.

@mcdonnnj
Configure the AWS_CA_BUNDLE environment variable
3d326c6 
This environment variable is used by AWS tools (AWS CLI, Botocore,
etc.) to specify a path to a certificate bundle for use for HTTPS
certificate validation.
jsf9k
jsf9k approved these changes Dec 13, 2024
View reviewed changes
Copy link

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@JarLob JarLob merged commit babd69b into GitHubSecurityLab:main Dec 19, 2024
@JarLob
Copy link
Contributor

JarLob commented Dec 19, 2024

Thank you!

@mcdonnnj mcdonnnj deleted the improvement/set_aws_ca_bundle branch December 19, 2024 20:54
jsf9k added a commit to cisagov/teamserver-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
b955f26 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Merged
6 tasks
jsf9k added a commit to cisagov/assessor-workbench-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
3f98ed1 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Merged
6 tasks
jsf9k added a commit to cisagov/nessus-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
7a46d4e 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Merged
6 tasks
jsf9k added a commit to cisagov/freeipa-server-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
bcd107a 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Merged
6 tasks
jsf9k added a commit to cisagov/openvpn-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
a6abcec 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Merged
6 tasks
jsf9k added a commit to cisagov/kali-packer that referenced this pull request Dec 20, 2024
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
198eed6 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
@jsf9k jsf9k mentioned this pull request Dec 20, 2024
Open
6 tasks
jsf9k added a commit to cisagov/kali-packer that referenced this pull request Jan 17, 2025
@jsf9k
Re-enable the GitHubSecurityLab/actions-permissions/monitor action
d166c85 
With the merge of GitHubSecurityLab/actions-permissions#34, this proxy
no longer interferes with AWS API or boto3 calls.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsf9k jsf9k jsf9k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mcdonnnj @JarLob @jsf9k