SSL validation failed: self-signed certificate

Core Tunnel Ask for Support
1

Hello, I use a .ssh/config file to connect to AWS EC2 instance. Our company also uses Netskope to control internet traffic, thus we have a custom pem certificate.
I cannot open tunnels anymore with the new Core Tunnel (installed from site, not app).
The SSH command use by core tunnel does work if I run it in a terminal, but fails in Core Tunnel:

Equivalent Command: ssh -N -L localhost:12432:localhost:15432 -o PubkeyAcceptedAlgorithms=+ssh-rsa -o ServerAliveCountMax=3 -o ServerAliveInterval=15 -o ExitOnForwardFailure=yes -p 22 user@ssh_profile
10:01:21 Connecting...
10:01:21 Jumping...
SSL validation failed for https://ssm.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)
10:01:23 kex_exchange_identification: Connection closed by remote host
10:01:23 Connection closed by UNKNOWN port 65535
10:01:23 Abnormal Disconnect

Thanks.
Nicolas

2

We just made a new release (3.8.8, Codinn Store version), could you please update the app and give it a try?

If it still not work, please Enable logging and send me a desensitized connection log.

Kindly Regards,

Yang

3

Thanks for the prompt reply, I already have: Version: 3.8.8 (53E56)
Here is the log in debug 3:
Thanks, nicolas

Equivalent Command: ssh -N -vvv -L localhost:10432:localhost:5432 -o SendEnv=AWS_CA_BUNDLE -o ServerAliveInterval=15 -o PubkeyAcceptedAlgorithms=+ssh-rsa -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -p 22 user@sshprofile
11:14:41 Connecting...
11:14:41 OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
11:14:41 debug1: Reading configuration data /Users/nicolas/.ssh/config
11:14:41 debug1: /Users/nicolas/.ssh/config line 1: Applying options for tpf
11:14:41 debug1: Reading configuration data /etc/ssh/ssh_config
11:14:41 debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
11:14:41 debug1: /etc/ssh/ssh_config line 54: Applying options for *
11:14:41 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/nicolas/.ssh/known_hosts'
11:14:41 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/nicolas/.ssh/known_hosts2'
11:14:41 debug1: Executing proxy command: exec sh -c "/opt/homebrew/bin/aws ssm start-session --target i-x9ff7xxxxxxxx --document-name AWS-StartSSHSession --parameters 'portNumber=22' --profile default --region eu-west-1"
11:14:41 Jumping...
11:14:41 debug1: identity file /Users/nicolas/.ssh/id_rsa type 0
11:14:41 debug1: identity file /Users/nicolas/.ssh/id_rsa-cert type -1
11:14:41 debug1: Local version string SSH-2.0-OpenSSH_8.8
SSL validation failed for https://ssm.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)
11:14:43 kex_exchange_identification: Connection closed by remote host
11:14:43 Connection closed by UNKNOWN port 65535
11:14:43 Abnormal Disconnect
11:14:43 Connection failed, retry after 3s...
11:14:47 Disconnected
4

Please try set AWS_CA_BUNDLE environment, and reconnect the tunnel:

image
image1000×706 57.7 KB

Kindly Regards,

Yang

5

Oh thanks a ton Yang: I missed the env variable tab in advanced setting :sweat_smile: .
Best regards, Nicolas

6

Great to know that :slight_smile: