SSL issue when setting AWS_CA_BUNDLE environment variable for AWS CLI commands

[BorisBureau]

Hello,

We were facing an error when trying to use AWS CLI commands on AWS accounts that are in the China region;

SSL validation failed for https://ssm.cn-north-1.amazon.com.cn/ [SSL:CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1002)

So, we configured the AWS_CA_BUNDLE environment variable (on Windows) with the path of the proxy certificate responsible for SSL interception in our company. And it solved the problem, but created another problem. In fact, when we try to connect through saml2aws to AWS accounts that are not in the China region. Below is the error we get :

Error logging into AWS role using SAML assertion.: Error retrieving STS credentials using SAML.: RequestError: send request failed
caused by: Post "https://sts.amazonaws.com/":x509: certificate signed by unknown authority

Is there a solution to that problem please?

Thank you in advance.

[g-nogueira]

I'm currently facing the same issue after I replaced my laptop. On the old laptop, it works, but on the new, it raises this same issue. This is what I've tried without luck:

• Reinstall saml2aws and reconfigure
• Install the certificate available by navigating to sns.amazonaws.com
• Compare the output of openssl s_client -showcerts -connect sts.amazonaws.com:443 in both computers. The cert chain is exactly the same, so cert shouldn't be the issue
• Completely disable the firewall and try saml2aws login

I'm a dev, but don't have a good knowledge on cert to know what's going on. If I can help in any way with logs or something else, I would be happy to.