RightAWS and SSL Certificates

If you’ve used the RightAWS tools to talk to Amazon Web Services, you’ve probably seen this warning before:

warning: peer certificate won't be verified in this SSL session

No one likes warnings cluttering up their output, and this one indicates a very real security problem: no verification is being done to check that the server really is a legitimate Amazon host. Unfortunately, the warning doesn’t give you a lot of clues about how to go about addressing the issue.

Here’s what you need to do. First, you’ll need a certificate file. If you’re running Ubuntu, you can install the “ca-certificates” package (on my system it was already installed). Once it’s installed you should have a master certificate file at /etc/ssl/certs/ca-certificates.crt. Now you just need to tell RightAWS about the file:

require 'right_http_connection'
Rightscale::HttpConnection.params[:ca_file] = "/etc/ssl/certs/ca-certificates.crt"

…and you should get no more warnings.

I’ve submitted a patch to the right_http_connection gem which, if accepted, will use this file by default if it exists. It will also enable users to override the CA file configuration using the RIGHT_HTTP_CA_FILE environment variable.

This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.