The SSL error says the following from running eb init (for deploying an Elastic Beanstalk environment for a web application):
ERROR: SSLError - SSL validation failed for https://elasticbeanstalk.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
The certificate issue likely comes from my work computer's VPN (Zscaler) blocking default ca certificates. I had fixed SSL errors on this device in the past by pointing certificate validation to a Zscaler certificate on my device, but cannot figure out how to fix this issue from ebcli.
I have tried to create a named profile in the aws config file (found in /home/.aws) and running the command with the profile field.
eb init --profile eb-cli
where /home/.aws/config:
[profile eb-cli]
aws_access_key_id = xxxx
aws_secret_access_key = xxxx
region = us-west-2
output = json
ca_bundle = my-cert-path\zscaler-cert.pem
I also had my elastic beanstalk config file point to this aws named profile. /home/project/.elasticbeanstalk/config.yml:
global:
profile: eb-cli
I also tried to set the ca bundle manually:
set AWS_CA_BUNDLE=my-cert-path/zscaler-cert.pem
What is interesting is that an awscli command which also requires ssl validation runs without error.
aws ec2 describe-instances --region us-west-2
It seems that awscli is able to find and recognize the new certificate file, however ebcli (namely with eb init) is not. I was under the impression that aws and eb config files were interchangeable, or at least that an aws named profile was a legitimate way to configure an eb environment before deployment. Where am I going wrong?
The domain:
is not yours. It belogs to AWS, and you can't setup any valid SSL certificates for it. To have HTTPS in your EB website, you have to have your own domain, for which you get SSL cert. More information is in aws docs: