Amazon Certificate Authority Change

Overview

Starting Sunday, April 15, 2018 Amazon will begin updating the way their certificates are signed in a way that could cause issues for some users of the Shotgun API. For hosted Shotgun sites and older or non-standard Python environments it is possible that this change could cause scripts that upload media to Shotgun or that download files from Shotgun to crash. This document describes the change that is happening, the environments that are at risk from the change, and how to work around the issue if you are running an environment that will break because of this change.

 

What is changing

Between Sunday April 15, 2018 and Monday April 30, 2018, Amazon will be changing the Root certificate authority for their TLS certificates. This current update will impact the following Amazon endpoints:

  • s3-accelerate.amazonaws.com
  • *.s3-accelerate.amazonaws.com

These endpoints are used by Shotgun to upload media to Amazon S3.

Because this involves a change to the TLS certificate's root CA, this may be a breaking change for scripts running on older operating systems or in Python interpreters where the SSL certificates are not properly setup.

 

More details on root certificates

A certificate authority or certification authority (CA) is an entity that issues digital certificates, more specifically in this case for TLS certificates. Having a certificate signed by a valid CA means the security of the TLS connection can be trusted.

 

More on the change from Amazon

The change means that the TLS certificates for Amazon services like AWS S3 will be using the new Amazon root certificate.

Read Amazon's announcement here: https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

Additional Amazon resources for verifying root CA on a host system is available here: https://www.amazontrust.com/repository/

 

Why can this be a breaking change?

Older systems or Python environments that do not include the new Amazon root CA (or the one purchased by Amazon) will be impacted since the new TLS certificate will not appear valid to them when making HTTPS calls to directly upload media to our S3 buckets. An invalid Amazon root CA can impact any one of the components below:

  • Shotgun Python API
  • Shotgun integrations

 

How can I know if my studio will be impacted?

We are providing a small Python script that will allow you to test if you will be impacted by this change. You can run this script within any Python environment in your studio, including application consoles and script editors. The output will indicate if the environment will break once the root certificate is updated.

Be sure to test any operating system and Python environment where the Python API is used (including all application versions currently in use), even if not present in the list of applications at risk.

The script can be downloaded or copy and pasted from:

https://gist.github.com/khosrow/74901e58c6564587eaafbe53374422dd

 

Known Applications and Operating Systems at risk

We have tested the Python environments within all the applications we have official integration for, on all our supported platforms. As a result of this testing we have seen an issue with the applications below.

Application

Version

Operating System

Foundry Mari

4.0v1, 4.0v3

CentOS 6

 

My studio is impacted… now what?

Ideally you would be able to update the impacted application or operating system to the latest version. Our testing shows that updating the impacted tool will resolve the issue.

The issues we have seen can be worked around by running some Python code that points the Python SSL module to an updated list of trusted certificates. For example, in Mari 4.0 on CentOS 6 there is a bug where Mari is not picking up the operating system's known trusted certificates.  If you run the snippet of code below from a file in your Mari script path, you will have worked around the issue. As long as you run code like that below (potentially providing an updated certificates file if there is not one on your system) the updated Amazon certificates should validate.

The snippet can be downloaded or copy and pasted from:

https://gist.github.com/khosrow/9fe715567a8a1c585796372bcfbac09b

 

If you are unable to fix the issue for any reason, please reach out to Shotgun Support. We will inform you of alternative options.

 

Follow

2 Comments

  • 0
    Avatar
    Benoit Leveau

    Just a note: the test script works fine if the test reports a success, but if it's reporting an error it's then listing the system certificates using code that won't work on typical versions of Python used in Maya, Nuke, etc.

    ssl.SSLContext was introduced in Python 2.7.9, and typical versions of Python found in Maya/Nuke are 2.7.3, 2.7.6.

  • 0
    Avatar
    Khosrow Ebrahimpour

    Thank you for the feedback, Benoit. We've updated the test script to remove the dependence on ssl.SSLContext.

    Edited by Khosrow Ebrahimpour
Please sign in to leave a comment.