ERP archive export from Virtual Server to Cloud Object Storage fails with SSL certificate error

Cloud Platforms IBM Cloud
, , , , , , , ,
1

Our monthly ERP archive export job started failing last week with an SSL certificate validation error. The job exports compressed archives from a Virtual Server running RHEL 8 to Cloud Object Storage using the AWS CLI.

Error from the export log:


SSL validation failed for https://s3.us-east.cloud-object-storage.appdomain.cloud
Certificate verification failed: unable to get local issuer certificate

This worked fine for 6 months until recently. I haven’t changed anything in the CA certificate management on the server. The Virtual Server can access other HTTPS sites without issues. It’s specifically the ERP-COS integration that’s failing.

I tried adding --no-verify-ssl to the AWS CLI command and the export works, but that’s not acceptable for production. We need proper SSL/TLS troubleshooting to fix the certificate validation. Has anyone dealt with IBM Cloud Object Storage certificate issues on RHEL systems?

2

I’ve seen this before with Python-based tools on RHEL 8. The issue is usually that the SSL library can’t find the CA bundle. Check the AWS CLI’s SSL configuration. You might need to explicitly set the CA_BUNDLE environment variable to point to /etc/pki/tls/certs/ca-bundle.crt. Also verify that the certifi Python package is up to date if you’re using the Python version of AWS CLI.

3

I can help you resolve this SSL certificate validation issue. The problem is related to CA certificate management and how RHEL 8 handles certificate trust after system updates.

First, let’s verify the actual certificate chain issue:


openssl s_client -connect s3.us-east.cloud-object-storage.appdomain.cloud:443 -showcerts

Look for “Verify return code: 0 (ok)” at the end. If you see error 20 (unable to get local issuer certificate), the system doesn’t trust the CA.

The RHEL 8.6 update you applied likely updated OpenSSL to 1.1.1k or later, which has stricter certificate validation. Here’s the complete fix for your ERP-COS integration:

  1. CA Certificate Management - Update trust store:

sudo yum update ca-certificates
sudo update-ca-trust extract
  1. Verify DigiCert root is present:

grep -r "DigiCert" /etc/pki/ca-trust/extracted/
  1. For AWS CLI specifically, the issue is often the boto3/urllib3 SSL context. Create an AWS CLI config file at ~/.aws/config:

[default]
ca_bundle = /etc/pki/tls/certs/ca-bundle.crt

Or set the environment variable in your ERP export script:


export AWS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
  1. SSL/TLS Troubleshooting - If the above doesn’t work, the issue is likely that RHEL 8’s update-crypto-policies disabled TLS 1.0/1.1. Verify COS supports TLS 1.2+:

openssl s_client -connect s3.us-east.cloud-object-storage.appdomain.cloud:443 -tls1_2
  1. For ERP-COS integration specifically, check if your archive export script is using a virtual environment with outdated SSL libraries:

python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"

If it shows OpenSSL < 1.1.1, your Python environment has outdated SSL. Fix:


sudo yum install python3-libs
pip3 install --upgrade certifi urllib3
  1. The “unable to get local issuer certificate” error specifically means the intermediate certificate is missing from your trust store. Download and install it manually:

curl -o /tmp/digicert-global-root-ca.crt https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
sudo cp /tmp/digicert-global-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

  1. Restart any long-running processes that cache SSL contexts (including your ERP application).

  2. Test the fix:


aws s3 ls s3://your-erp-archive-bucket/ --region us-east

For production ERP archive exports, I recommend:

  • Pin your OpenSSL version in your maintenance schedule to avoid surprise updates
  • Use a dedicated service account with its own AWS CLI config pointing to the system CA bundle
  • Add certificate validation checks to your pre-export health checks
  • Set up monitoring for SSL errors in your export logs

The root cause here is that RHEL 8.6 updated the CA trust store format and some intermediate certificates were reorganized. The AWS CLI’s bundled certifi package doesn’t automatically pick up system trust store changes, so you need to explicitly point it to the updated bundle.

After implementing these CA certificate management and SSL/TLS troubleshooting steps, your monthly ERP archive export should work without --no-verify-ssl. The key is ensuring the AWS CLI uses the system CA bundle that was updated by the RHEL update.

4

I updated ca-certificates but still getting the same error. I checked the certificate chain using openssl s_client and it shows the full chain from DigiCert. The certificates look valid. Could this be an issue with how the AWS CLI is configured to use the system CA bundle on RHEL 8?