{"id":1950,"date":"2021-08-11T21:38:31","date_gmt":"2021-08-11T16:08:31","guid":{"rendered":"https:\/\/judepereira.com\/blog\/?p=1950"},"modified":"2021-11-18T19:03:43","modified_gmt":"2021-11-18T13:33:43","slug":"getting-the-aws-cli-to-accept-cloudflare-warps-root-certificate","status":"publish","type":"post","link":"https:\/\/judepereira.com\/blog\/getting-the-aws-cli-to-accept-cloudflare-warps-root-certificate\/","title":{"rendered":"Getting the AWS CLI to accept Cloudflare WARP’s root certificate"},"content":{"rendered":"\n

When we moved to Cloudflare WARP at CleverTap, everything worked as expected, except for the AWS CLI:<\/p>\n\n\n\n

SSL validation failed for https:\/\/ec2.eu-west-1.amazonaws.com\/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)<\/code><\/pre>\n\n\n\n
The problem with Cloudflare WARP is that it’s the equivalent of Charle’s Proxy – presenting its own certificate for everything. While this works for almost everything, it doesn’t work for tools that use a well known and publicly trusted CA bundle. <\/p>\n\n\n\n
Moreover, AWS’ CLI v2 is built with Python, which apparently doesn’t even have access to macOS’ Keychain. So, although that Cloudflare WARP certificate is installed in Keychain, tools from JetBrains and AWS’ very own CLI will refuse to work. <\/p>\n\n\n\n
The solution? Download a .crt from Cloudflare’s documentation<\/a>, convert it to a .pem (using Keychain), and then add it to your CA bundle (in my case, the default one installed by Homebrew).<\/p>\n\n\n\n
Preparing the certificate<\/h2>\n\n\n\n
Download the certificate from here<\/a>. Next, open it up in Keychain:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Right click on that entry, to see the Export option:<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Export it as a PEM:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Hit Save.<\/p>\n\n\n\n
Installing the certificate<\/h2>\n\n\n\n
And now to the tricky part. The CA bundle that AWS uses for its CLI is a mystery. However, it does allow one to override that, by using an environment variable. So, we want that CLI to trust the usual set of root certificates, along with Cloudflare’s. OpenSSL installs a decent set of trusted root certificates, which we can append to:<\/p>\n\n\n\n
$ cat Cloudflare.pem >> \/Users\/jude\/bin\/Homebrew\/etc\/openssl\/cert.pem<\/code><\/pre>\n\n\n\n
All that’s remaining is to tell the AWS CLI to use it:<\/p>\n\n\n\n
$ export AWS_CA_BUNDLE=\/Users\/jude\/bin\/Homebrew\/etc\/openssl\/cert.pem<\/code><\/pre>\n\n\n\n
And voila! It starts working magically! <\/p>\n","protected":false},"excerpt":{"rendered":"
Download, convert, and install the Cloudflare WARP root certificate into your local set of trusted root CAs, and then tell the AWS CLI to use it.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[12],"tags":[671,670,677,672,673,679,678,675,676,674],"class_list":["post-1950","post","type-post","status-publish","format-standard","hentry","category-misc","tag-aws","tag-aws-cli","tag-certificates","tag-cli","tag-cloudflare","tag-homebrew","tag-openssl","tag-ssl","tag-tls","tag-warp"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pqtyx-vs","jetpack-related-posts":[{"id":2055,"url":"https:\/\/judepereira.com\/blog\/colima-cloudflare-zero-trust-on-apple-silicon\/","url_meta":{"origin":1950,"position":0},"title":"Colima & Cloudflare Zero Trust on Apple Silicon","author":"Jude Pereira","date":"March 18, 2024","format":false,"excerpt":"Install Colima via Homebrew: $ brew install colima $ colima start Add the Cloudflare Certificate Get inside the VM that Colima spawns: $ colima ssh jude@colima:\/Users\/Jude$ <\u2014 make sure that your prompt changes Download the Cloudflare Zero Trust certificate: $ sudo curl -k https:\/\/developers.cloudflare.com\/cloudflare-one\/static\/Cloudflare_CA.pem --output \/usr\/share\/ca-certificates\/cloudflare.crt $ sudo dpkg-reconfigure ca-certificates\u2026","rel":"","context":"In "miscellaneous"","block_context":{"text":"miscellaneous","link":"https:\/\/judepereira.com\/blog\/category\/misc\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1969,"url":"https:\/\/judepereira.com\/blog\/cloudflare-zero-trust-gateway-and-net-neutrality\/","url_meta":{"origin":1950,"position":1},"title":"Cloudflare Zero Trust Gateway and Net Neutrality","author":"Jude Pereira","date":"April 5, 2023","format":false,"excerpt":"Is Cloudflare ruining the entire concept of a distributed internet? Is it on a path to violate Net Neutrality? What can you do to prevent this?","rel":"","context":"In "miscellaneous"","block_context":{"text":"miscellaneous","link":"https:\/\/judepereira.com\/blog\/category\/misc\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screenshot-2023-04-04-at-20.01.01.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1936,"url":"https:\/\/judepereira.com\/blog\/taming-a-throttled-api-with-dynamic-proxies-in-java\/","url_meta":{"origin":1950,"position":2},"title":"Taming a throttled API with Dynamic Proxies in Java","author":"Jude Pereira","date":"January 20, 2021","format":false,"excerpt":"Recently, at CleverTap, we've begun migrating some of our largest clusters to a new protocol (for starters, think ~115 instances at a time). One of the most fun things I've had my hands on during this migration was the AWS Systems Manager API. When we scaled up our migrations gradually\u2026","rel":"","context":"In "another snippet | code"","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1830,"url":"https:\/\/judepereira.com\/blog\/ios-mac-ipsec\/","url_meta":{"origin":1950,"position":3},"title":"How to tunnel all traffic from your iOS device to your own server via IPSec","author":"Jude Pereira","date":"May 11, 2018","format":false,"excerpt":"TL;DR: A DigitalOcean droplet, strongSwan, and a custom Configuration Profile for iOS routes all the traffic from my iPhone via my droplet. Why? Just because I can. Note: This setup does not require you to download Apple Configurator and switch your iPhone into Supervised mode (we will create a configuration\u2026","rel":"","context":"In "gnu linux"","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2018-05-10-at-20.34.32-1024x134.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":1685,"url":"https:\/\/judepereira.com\/blog\/compile-less-on-the-fly-for-your-exploded-war-in-intellij\/","url_meta":{"origin":1950,"position":4},"title":"Compile LESS on the fly for your exploded WAR in IntelliJ","author":"Jude Pereira","date":"February 5, 2016","format":false,"excerpt":"At CleverTap, we've recently started using LESS for dynamic CSS. While it has it's upsides, the biggest downside\u00a0was that most of our developers couldn't use the hot deploy feature for their local deployments. After an hour or so, we came up with a neat solution. \u00a0 There are two parts\u2026","rel":"","context":"In "another snippet | code"","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"External Tool configuration for compiling LESS files before deployment","src":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/judepereira.com\/blog\/wp-content\/uploads\/Screen-Shot-2016-02-05-at-01.32.45-1024x494.png?resize=525%2C300 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/comments?post=1950"}],"version-history":[{"count":8,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1950\/revisions"}],"predecessor-version":[{"id":1962,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1950\/revisions\/1962"}],"wp:attachment":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/media?parent=1950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/categories?post=1950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/tags?post=1950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}