Skip to main content

An official website of the United States government

Here’s how you know

Fixing certificate validation errors from AWS CLI when using the cg-egress-proxy

· One min read

If you are using the cg-egress-proxy to restrict the egress traffic for your application, you may experience certificate validation errors which prevent you from interacting with brokered AWS services using the CLI.

The cause of the issue is that AWS CLI is overriding certificates that Cloud.gov provides and preventing the AWS CLI from being able to validate TLS connections, thus causing CLI commands to fail.

To force the AWS CLI to use the system CA cert stores, you can add this environment variable:

AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Environment variables can be set for your application by using a manifest, the cf set-env CLI command, or in the .profile file for your application. For applications running custom Docker images, you could also set this environment variable in the Dockerfile for your image.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov