Starting Sunday, April 15, 2018 Amazon will begin updating the way their certificates are signed in a way that could cause issues for some users of the Shotgun API. For hosted Shotgun sites and older or non-standard Python environments it is possible that this change could cause scripts that upload media to Shotgun or that download files from Shotgun to crash. This document describes the change that is happening, the environments that are at risk from the change, and how to work around the issue if you are running an environment that will break because of this change.
What is changing
Between Sunday April 15, 2018 and Monday April 30, 2018, Amazon will be changing the Root certificate authority for their TLS certificates. This current update will impact the following Amazon endpoints:
These endpoints are used by Shotgun to upload media to Amazon S3.
Because this involves a change to the TLS certificate's root CA, this may be a breaking change for scripts running on older operating systems or in Python interpreters where the SSL certificates are not properly setup.
More details on root certificates
A certificate authority or certification authority (CA) is an entity that issues digital certificates, more specifically in this case for TLS certificates. Having a certificate signed by a valid CA means the security of the TLS connection can be trusted.
More on the change from Amazon
The change means that the TLS certificates for Amazon services like AWS S3 will be using the new Amazon root certificate.
Read Amazon's announcement here: https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
Additional Amazon resources for verifying root CA on a host system is available here: https://www.amazontrust.com/repository/
Why can this be a breaking change?
Older systems or Python environments that do not include the new Amazon root CA (or the one purchased by Amazon) will be impacted since the new TLS certificate will not appear valid to them when making HTTPS calls to directly upload media to our S3 buckets. An invalid Amazon root CA can impact any one of the components below:
- Shotgun Python API
- Shotgun integrations
How can I know if my studio will be impacted?
We are providing a small Python script that will allow you to test if you will be impacted by this change. You can run this script within any Python environment in your studio, including application consoles and script editors. The output will indicate if the environment will break once the root certificate is updated.
Be sure to test any operating system and Python environment where the Python API is used (including all application versions currently in use), even if not present in the list of applications at risk.
The script can be downloaded or copy and pasted from:
Known Applications and Operating Systems at risk
We have tested the Python environments within all the applications we have official integration for, on all our supported platforms. As a result of this testing we have seen an issue with the applications below.
My studio is impacted… now what?
Ideally you would be able to update the impacted application or operating system to the latest version. Our testing shows that updating the impacted tool will resolve the issue.
The issues we have seen can be worked around by running some Python code that points the Python SSL module to an updated list of trusted certificates. For example, in Mari 4.0 on CentOS 6 there is a bug where Mari is not picking up the operating system's known trusted certificates. If you run the snippet of code below from a file in your Mari script path, you will have worked around the issue. As long as you run code like that below (potentially providing an updated certificates file if there is not one on your system) the updated Amazon certificates should validate.
The snippet can be downloaded or copy and pasted from:
If you are unable to fix the issue for any reason, please reach out to Shotgun Support. We will inform you of alternative options.