Amanda amlabel CURL error: SSL certificate problem when using S3 buckets under Gentoo for backup
This one was fun.
Issue:
The error presented when attempting to label S3 buckets for use by Amanda in a virtual tape changer configuration. The OS is Linux and the distribution, Gentoo.
The exact error encountered was
labeling tape in slot 1 (s3:myBucket/backupSet/0001/): Reading label... While trying to read tapestart header: CURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (CURLcode 60) Reading the tape label failed: Error was Device error.
Cause:
The error is related to curl's desire to perform peer SSL certificate verification as a default. This is a "good thing" and requires minimal intervention to work around once an admin is aware of the issue.
Reference:
http://curl.haxx.se/docs/sslcerts.html
Resolution:
Gentoo centralizes a collection of CA certificate PEM files with the app-misc/ca-certificates package in portage. This should be installed as part of a normal Gentoo system, however, it is possible that a particular CA PEM may be absent. In this case, download the missing PEM file and place it in /etc/ssl/certs. Once this is done be sure to run the following command to update the local system certificate store:
update-ca-certificates
Tools for extracting Common CA PEM files from Mozilla projects and a standard PEM bundle can be found at: http://curl.haxx.se/docs/caextract.html
Amazon EC2 Subnets
216.182.224.0/20 (216.182.224.0 - 216.182.239.255) [US]
72.44.32.0/19 (72.44.32.0 - 72.44.63.255) [US]
67.202.0.0/18 (67.202.0.0 - 67.202.63.255) [US]
75.101.128.0/17 (75.101.128.0 - 75.101.255.255) [US]
174.129.0.0/16 (174.129.0.0 - 174.129.255.255) [US]
79.125.0.0/18 (79.125.0.0 - 79.125.63.255) [EU]
References:
http://developer.amazonwebservices.com/connect/thread.jspa?messageID=51028읔
http://developer.amazonwebservices.com/connect/message.jspa?messageID=107770