AWS Lamba Ruby Runtime DST Root CA X3 Expired

keithd1998 · September 30, 2021, 11:32pm

We hit this problem using a Lambda with the Ruby 2.7 runtime. Initially we tried just disabling SSL verification which is of course a bad idea, but we figured out you can upload a trusted cert file alongside the lambda and pass it as a request param.

require 'json'
require 'open-uri'

def lambda_handler(event:, context:)

request_uri=URI.parse('https://YOURSITE')

#output = URI.open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
output = URI.open(request_uri, {ssl_ca_cert: './custom_ca_cert.crt'})
#output = URI.open(request_uri)
{ statusCode: 200, body: output }

end

This connects without error. I got the trusted certs from Firefox and deleted the DST ROOT CA X3

Phil · September 30, 2021, 11:35pm

Good fix!

keithd1998 · October 1, 2021, 10:00am

I have since figured out a slightly better fix.

You can add the fixed certs file as a layer in the Lambda, uploaded as a zip in a custom layer. Then set an environment variable SSL_CERT_FILE = /opt/ca-bundle.crt

This at least gets around it without code changes.

system · October 31, 2021, 10:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.