How do I add an additional CA (certificate authority) to the trust store used by my Python3 AWS Lambda function?
-
Unclear what you are asking. What is "one of the external services" and why would a certificate be needed?Michael - sqlbot– Michael - sqlbot2019-05-20 23:33:03 +00:00Commented May 20, 2019 at 23:33
-
1I am accessing a rest service over https. I believe I need a certificate to be installed in truststore in case of a java application , but since a python app running on AWS Lambda I’m unsure as to how it can be implementedPunter Vicky– Punter Vicky2019-05-20 23:34:33 +00:00Commented May 20, 2019 at 23:34
-
This question is pretty unclear. Are you asking about any particular certificate? if it is a valid certificate that has a chain from a trusted CA you probably don't need to do anything. However if you are using self signed certificate, that would be different.Rafał Nowosielski– Rafał Nowosielski2019-06-09 21:52:44 +00:00Commented Jun 9, 2019 at 21:52
-
this may be usefulWEBjuju– WEBjuju2021-05-25 19:38:51 +00:00Commented May 25, 2021 at 19:38
Add a comment
|
1 Answer
If you only need a single CA, then get your crt file and encode it into a pem using the following command in linux:
openssl x509 -text -in "{your CA}.crt" > cacert.pem
If you need to add CA's to the default CA bundle, then copy python3.8/site-packages/certifi/cacert.pem to your lambda folder. Then run this command for each crt:
openssl x509 -text -in "{your CA}.crt" >> cacert.pem
After creating the pem file, deploy your lambda with the REQUESTS_CA_BUNDLE environment variable set to /var/task/cacert.pem.
/var/task is where AWS Lambda extracts your zipped up code to.
4 Comments
Franklin Rivero
this made my calls to aws not work du to ssl validation, seems it added my cert but removed defaults ones?
carlin.scott
@FranklinRivero Did you copy the original cacert.pem bundle and append yours to it? I honestly only needed to access one service so I didn't test that part myself.
Franklin Rivero
I ended up using CURL_CA_BUNDLE instead and worked iwth both aws services and mine, how can I get the original cacert.pem used for accessing aws services (ssm,dynamodb,batch, sns and few others I call). if I print REQUESTS_CA_BUNDLE it doesn't give me anything.
carlin.scott
@FranklinRivero It should be what's in python3.8/site-packages/certifi/cacert.pem by default. But I guess it's possible that Amazon adds their certs to the standard python certs.