Skip to main content
U.S. flag

An official website of the United States government

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Fixing certificate validation errors from AWS CLI when using the cg-egress-proxy

November 4, 2022

If you are using the cg-egress-proxy  to restrict the egress traffic for your application, you may experience certificate validation errors which prevent you from interacting with brokered AWS services using the CLI.

The cause of the issue is that AWS CLI is overriding certificates that cloud.gov provides and preventing the AWS CLI from being able to validate TLS connections, thus causing CLI commands to fail.

To force the AWS CLI to use the system CA cert stores, you can add this environment variable:

AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Environment variables can be set for your application by using a manifest, the cf set-env  CLI command, or in the .profile  file for your application. For applications running custom Docker images, you could also set this environment variable in the Dockerfile  for your image.

Suggest edits