tl;dr: Will old boto versions that don't include amazon trust services certs become obsolete in a few months when amazon migrate from DigiCert to Amazon Trust Services?
Amazon's CA for S3 is changing from DigiCert to Amazon Trust Services in a few months. They say clients should trust Amazon Trust Services’ root certificates (Having them listed in their trust store).
curl and chrome respond well to test endpoints by AWS that test that everything's trusted properly, meaning the root certs are within the trust store in the OS, but I gotta make sure Botocore 1.8.11, and boto 2.38 trust as well. Why would they be any different? because of this:
The .NET, Java, PHP, Go, JavaScript, and C++ SDKs and CLIs do not bundle any certificates, so their certificates come from the underlying operating system.
More recent versions of botocore and boto3 DO have the root certs bundled with them (e.g.),
- Does that mean the versions I'm using, who do not have the certs bundled, will be obsolete in a few months? or did they also use the underlying OS trust store before having the certs bundled?
- Is using those boto versions to fetch an object from an already migrated region such as eu-west-3 means I'm absolutely safe?
Of course, upgrading is what one should do, but that's a very hard work in my situation.
The bundled boto3 and botocore root certificates are just a fall-back for when the root certificates aren't present on the OS.
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -e "Amazon Root CA" -e "Starfield"Should find the root certs, meaning all's good:
subject= /C=US/O=Amazon/CN=Amazon Root CA 1 subject= /C=US/O=Amazon/CN=Amazon Root CA 2 subject= /C=US/O=Amazon/CN=Amazon Root CA 3 subject= /C=US/O=Amazon/CN=Amazon Root CA 4 subject= /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority subject= /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 subject= /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2Yes.