WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Amazon Certificate Missing  (Read 2385 times)

Offline Zephyrus

  • Newbie
  • *
  • Posts: 6
Amazon Certificate Missing
« on: May 01, 2019, 01:02:29 AM »
Hi, not sure if this is the right place to report this, but I'm been trying to get the Amazon Systems Manager Agent running on a compute module 1.
Bit of a mess around, but I had authentication problems with the Amazon server, so update my ca-certificates.tcz to the one from the version 10.x repo (this is because the 9.x version has no certs in /etc/ssl) and I also had to manually install an Amazon cert from here https://www.amazontrust.com/repository/. I used the Starfield one only but both that and the other 4 should probably be merged into ca-certificates.tcz

Not sure if this should be posted here, but I couldn't find a dedicated bug tracker.

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1264
Re: Amazon Certificate Missing
« Reply #1 on: May 01, 2019, 04:54:15 AM »
Certs from 10.x will not work with 9.x (and vise versa)

See this link as to how to get the 9.x certs to work with /etc/ssl. http://forum.tinycorelinux.net/index.php/topic,21065.0.html




« Last Edit: May 01, 2019, 04:58:55 AM by Paul_123 »

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1264
Re: Amazon Certificate Missing
« Reply #2 on: May 01, 2019, 12:12:03 PM »
For the record, this is the list of certs that Mozilla distributes, and is what is used to generate the ca-certificates package.
  https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

What is the site you are trying to reach?

Offline Zephyrus

  • Newbie
  • *
  • Posts: 6
Re: Amazon Certificate Missing
« Reply #3 on: May 01, 2019, 09:39:49 PM »
Interesting they don't work. I tried copying the SSL certs from where they are in the version 9.x repo to /etc/ssl and that didn't seem to work.
That part may be a red herring and didn't help.

The website was either https://ssm.ap-southeast-2.amazonaws.com/ or https://ssmmessages.ap-southeast-2.amazonaws.com/
I got the error "x509 failed to load system roots and no roots provided" if SFSRootCAG2.pem is not in /etc/ssl/certs and no problems with it there. It does seem to be the same as the one from Mozilla.
 
I used deb2tcz to turn the Debian container of SSM for Raspbian into the TCZ file I needed if you need to test it.

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1264
Re: Amazon Certificate Missing
« Reply #4 on: May 01, 2019, 11:00:35 PM »
the PEM files use a generic name, but the Amazon certs are definitely there in 10.x   but they are signed with the openssl that is in 10.x.   That version wont work with 9.x

For 9.x, Did you try to create the symlink between /etc/ssl -> /usr/local/etc/ssl