Add --aws-bundled-cert option and a hint about SSL_CERT_FILE

lib/kontena/machine/aws.rb

@@ -1,6 +1,17 @@
 module Kontena
   module Machine
     module Aws
+      def ssl_fail_message(used_option = false)
+        if used_option
+          "SSL certificate verify failed.\n" +
+          "You may need to download cacert.pem and set environment variable\n" +
+          "SSL_CERT_FILE=/path/to/cacert.pem"
+        else
+          "SSL certificate verify failed.\n" +
+          "Try running the command again with option --aws-bundled-cert"
+        end
+      end
+      module_function :ssl_fail_message
     end
   end
 end

lib/kontena/plugin/aws/master/create_command.rb

@@ -23,9 +23,13 @@ class CreateCommand < Kontena::Command
     option "--version", "VERSION", "Define installed Kontena version", default: 'latest'
     option "--associate-public-ip-address", :flag, "Whether to associated public IP in case the VPC defaults to not doing it", default: true, attribute_name: :associate_public_ip
     option "--security-groups", "SECURITY_GROUPS", "Comma separated list of security groups (names) where the new instance will be attached (default: create 'kontena_master' group if not already existing)"
+    option "--aws-bundled-cert", :flag, "Use CA certificate bundled in AWS SDK", default: false
 
     def execute
       require_relative '../../../machine/aws'
+
+      Aws.use_bundled_cert! if aws_bundled_cert?
+
       aws_access_key = ask_aws_access_key
       aws_secret_key = ask_aws_secret_key
       aws_region = ask_aws_region(aws_access_key, aws_secret_key)
@@ -55,6 +59,9 @@ def execute
           security_groups: security_groups,
           initial_admin_code: SecureRandom.hex(16)
       )
+    rescue Seahorse::Client::NetworkingError => ex
+      raise ex unless ex.message.match(/certificate verify failed/)
+      exit_with_error Kontena::Machine::Aws.ssl_fail_message(aws_bundled_cert?)
     end
 
     def provisioner(access_key, secret_key, region)

lib/kontena/plugin/aws/nodes/create_command.rb

@@ -18,13 +18,15 @@ class CreateCommand < Kontena::Command
     option "--version", "VERSION", "Define installed Kontena version", default: 'latest'
     option "--[no-]associate-public-ip-address", :flag, "Whether to associated public IP in case the VPC defaults to not doing it", default: true, attribute_name: :associate_public_ip
     option "--security-groups", "SECURITY GROUPS", "Comma separated list of security groups (names) where the new instance will be attached (default: create grid specific group if not already existing)"
+    option "--aws-bundled-cert", :flag, "Use CA certificate bundled in AWS SDK", default: false
 
     requires_current_master
 
     def execute
       require_current_grid
-
       require_relative '../../../machine/aws'
+      Aws.use_bundled_cert! if aws_bundled_cert?
+
       grid = fetch_grid(current_grid)
       aws_access_key = ask_aws_access_key
       aws_secret_key = ask_aws_secret_key
@@ -54,6 +56,9 @@ def execute
           associate_public_ip: associate_public_ip?,
           security_groups: security_groups
       )
+    rescue Seahorse::Client::NetworkingError => ex
+      raise ex unless ex.message.match(/certificate verify failed/)
+      exit_with_error Kontena::Machine::Aws.ssl_fail_message(aws_bundled_cert?)
     end
 
     # @param [String] id

lib/kontena/plugin/aws/nodes/restart_command.rb

@@ -8,6 +8,7 @@ class RestartCommand < Kontena::Command
     option "--access-key", "ACCESS_KEY", "AWS access key ID", environment_variable: "AWS_ACCESS_KEY_ID"
     option "--secret-key", "SECRET_KEY", "AWS secret access key", environment_variable: "AWS_SECRET_ACCESS_KEY"
     option "--region", "REGION", "EC2 Region", environment_variable: "AWS_REGION"
+    option "--aws-bundled-cert", :flag, "Use CA certificate bundled in AWS SDK", default: false
 
     requires_current_master
 
@@ -20,9 +21,13 @@ def execute
       aws_secret_key = ask_aws_secret_key
       aws_region = self.region || resolve_or_ask_region(node, aws_access_key, aws_secret_key)
       require_relative '../../../machine/aws'
+      Aws.use_bundled_cert! if aws_bundled_cert?
 
       restarter = restarter(aws_access_key, aws_secret_key, aws_region)
       restarter.run!(node_name)
+    rescue Seahorse::Client::NetworkingError => ex
+      raise ex unless ex.message.match(/certificate verify failed/)
+      exit_with_error Kontena::Machine::Aws.ssl_fail_message(aws_bundled_cert?)
     end
 
     def restarter(access_key, secret_key, region)

lib/kontena/plugin/aws/nodes/terminate_command.rb

@@ -9,6 +9,7 @@ class TerminateCommand < Kontena::Command
     option "--secret-key", "SECRET_KEY", "AWS secret access key", environment_variable: "AWS_SECRET_ACCESS_KEY"
     option "--region", "REGION", "EC2 Region (default: node's region)", environment_variable: "AWS_REGION"
     option "--force", :flag, "Force remove", default: false, attribute_name: :forced
+    option "--aws-bundled-cert", :flag, "Use CA certificate bundled in AWS SDK", default: false
 
     requires_current_master
 
@@ -23,9 +24,14 @@ def execute
 
       confirm_command(node_name) unless forced?
       require_relative '../../../machine/aws'
+      Aws.use_bundled_cert! if aws_bundled_cert?
+
       grid = client.get("grids/#{current_grid}")
       destroyer = destroyer(aws_access_key, aws_secret_key, aws_region)
       destroyer.run!(grid, node_name)
+    rescue Seahorse::Client::NetworkingError => ex
+      raise ex unless ex.message.match(/certificate verify failed/)
+      exit_with_error Kontena::Machine::Aws.ssl_fail_message(aws_bundled_cert?)
     end
 
     def destroyer(access_key, secret_key, region)