Symptoms: A deployment step fails and logs show that TLS connections cannot be established due to a rejected certificate.
You may see messages such as "SSLCertVerificationError" or "SSL: Certificate_Verify_Failed".
Root Cause:
Companies that use proxies will distribute a new trusted certificate to all administered machines. Most web browsers will automatically detect the new certificate, but not all applications reference the same keystore.
Greengrass depends on Java KeyStore for trusted certificates. Java is bundled in with the Greengrass MSI, and is likely missing the company-specific proxy certificate.
Solution:
First, identify and obtain a copy of your company-specific proxy certificate. You can:
- Ask your IT administrator for the file.
- Or, locate the file from the web browser:
- Go to any HTTPS website.
- Click on the lock icon in the URL and locate the certificate details. For Chrome, you can find them in: Connection is secure
Certificate is valid Details.
In this scenario, the certificate will be issued by an internal (or different) certificate authority.
- Export the certificate to a file. It must be a PEM formatted file which contains -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Next, configure Greengrass to trust the HTTPS proxy:
- Add the contents of your certificate file to both of these root CA certificate files:
- C:\greengrass\v2\tenant\rootCA.pem (or wherever your Greengrass working directory is located)
- C:\Program Files\Autodesk\Info360\customer-configs-1.0.0\rootCA.pem
- Restart the Greengrass service.
See also: AWS documentation - Connect on port 443 or through a network proxy