How do I resolve the error "PKIX path validation failed" when I try to unlock my Snowball Edge device?

Resolution

If you plan to keep your AWS Snow Family device for more than 360 days, then update the Secure Sockets Layer (SSL) certificate. If you don't update the SSL certificate within 360 days, then you can't unlock your device and you have to return the device to AWS.

To check whether the SSL certificate is expired, choose either of the following options.

Run the following describe-device-software command in the Snowball Edge client:

snowballEdge describe-device-software

Example output:

Installed version: 101  
Installing version: 102  
Install State: Downloading  
CertificateExpiry: Thur Jan 01 00:00:00 UTC 1970

Note: The CertificateExpiry parameter is the time when the certificate expires.

-or-

Run the following openssl command in the Snowball Edge client:

openssl s_client -connect Snowball_IP_ADDRESS:9091 | openssl x509 -noout -enddate

Note: Replace Snowball_IP_ADDRESS with your device's IP address.

Example output:

depth=1 CN = AWS Import/Export Root Job JID1234567890  
verify error:num=19:self signed certificate in certificate chain  
verify return:0  
notAfter=Aug 28 17:34:54 2023 GMT

Note: The notAfter parameter is the time when the certificate expires.

If the SSL certificate expired on the Snowball Edge device, then you can't update the certificate. Return the device back to AWS, and then order a replacement device.

Related information

Creating a job to order a Snowball Edge device

Configuring and using the Snowball Edge Client