SSM Patch Manager Scan Error: "InsecureRequestWarning: Unverified HTTPS request is being made"

0

Hello everyone, I'm using ssm patch manager Scan task (AWS-RunPatchBaseline) once a week on some EC2 instances, some Ubuntu 20 and some AmazonLinux2.

Everything was fine since the 16th of January, as the task would complete successfully for every instance. Starting from the 23th of January, the task fails on every Ubuntu instance with the following error on the standardError result:

"/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\nfailed to run commands: exit status 1".

Fun fact: the same identical warning is also there on the AmazonLinux instances, but the command does not fail with exit code 1.

I don't think anything changed on those Ubuntu instances in the meantime, but, maybe some unattended upgrades.

I already tried the last SSM-agent available version 3.2.532.0, and re-do the Scan, but the outcome is the same.

What could it be the problem, and how could it be to solved?

I leave here the ssm-agent logs, thanks in advance.

2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Done
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [CommandProcessorWrapper] received plugin: PatchLinux result from Processor
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received reply for RunCommandResult aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d with message id 1219c4ea-3561-49ad-952a-5f3336a36f1e
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Got reply msg Id 1219c4ea-3561-49ad-952a-5f3336a36f1e for RunCommandResult aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d, starting reply thread
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] started reply processing - 1219c4ea-3561-49ad-952a-5f3336a36f1e
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Sending reply {
  "additionalInfo": {
    "agent": {
      "lang": "en-US",
      "name": "amazon-ssm-agent",
      "os": "",
      "osver": "1",
      "ver": ""
    },
    "dateTime": "2023-02-01T13:52:42.872Z",
    "runId": "",
    "runtimeStatusCounts": {
      "Failed": 1,
      "Skipped": 1
    }
  },
  "documentStatus": "InProgress",
  "documentTraceOutput": "",
  "runtimeStatus": {
    "PatchLinux": {
      "status": "Failed",
      "code": 1,
      "name": "aws:runShellScript",
      "output": "/usr/bin/python3\n/usr/bin/python2.7\n/usr/bin/python2\n/usr/bin/python\n/usr/bin/apt-get\nReading package lists...\nBuilding dependency tree...\nReadingstate information...\npython3-apt is already the newest version (1.6.6).\nThe following packages were automatically installed and are no longer required:\n  linux-aws-5.4-headers-5.4.0-1085 linux-headers-4.15.0-197\n  linux-headers-4.15.0-197-generic linux-headers-5.4.0-1085-aws\n  linux-image-4.15.0-197-generic linux-image-5.4.0-1085-aws\n  linux-modules-4.15.0-197-generic linux-modules-5.4.0-1085-aws\n  linux-modules-extra-4.15.0-197-generic\nUse 'apt autoremove' to remove them.\n0 upgraded, 0 newly installed, 0 to remove and 55 not upgraded.\nUsing python binary: 'python3'\nUsing Python Version: Python 3.6.9\n02/01/2023 14:52:35 root [INFO]: Downloading payload from https://s3.dualstack.eu-south-1.amazonaws.com/aws-patch-manager-eu-south-1-c52f3f594/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.100.tar.gz\n02/01/2023 14:52:35 root [INFO]: Attempting to import entrance file os_selector\n02/01/2023 14:52:36 root [INFO]: Running with snapshot id = 2b11b799-73e8-4567-9dc6-9e8c40101338 and operation = Scan\n02/01/2023 14:52:36 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials\n02/01/2023 14:52:36 root [INFO]: Instance Id: i-0b1836a486824d20d\n02/01/2023 14:52:36 root [INFO]: Region: eu-south-1\n02/01/2023 14:52:36 root [INFO]: Product: Ubuntu18.04\n02/01/2023 14:52:36 root [INFO]: Patch Group: \n02/01/2023 14:52:36 root [INFO]: Operation type: Scan\n02/01/2023 14:52:36 root [INFO]: Snapshot Id: 2b11b799-73e8-4567-9dc6-9e8c40101338\n02/01/2023 14:52:36 root [INFO]: Patch Baseline: {'accountId': '237742590236', 'baselineId': 'pb-04615267655bfc0f4', 'name': 'InxUbuntu', 'globalFilters': {'filters': []}, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['*']}, {'key': 'SECTION', 'values': ['*']}, {'key': 'PRIORITY', 'values': ['Required', 'Important']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 0, 'approveUnti\n---Output truncated---\n----------ERROR-------\n/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nfailed to run commands: exit status 1",
      "startDateTime": "2023-02-01T13:52:34.232Z",
      "endDateTime": "2023-02-01T13:52:42.870Z",
      "outputS3BucketName": "",
      "outputS3KeyPrefix": "",
      "stepName": "",
      "standardOutput": "/usr/bin/python3\n/usr/bin/python2.7\n/usr/bin/python2\n/usr/bin/python\n/usr/bin/apt-get\nReading package lists...\nBuilding dependency tree...\n
-------------------------------------
---- LIST OF LOTS OF APT PACKAGES
-------------------------------------
-dev.amd64', 'installedTime': 1654041792.6328669, 'state': 'InstalledOther'}, 'dsniff.amd64:2.4b1+debian-28.1~build1': {'id': 'dsniff.amd64', 'installedTime': 1616790243.0
63162, 'state': 'InstalledOther'}, 'eatmydata.amd64:105-6': {'id': 'eatmydata.amd64', 'installedTime': --output truncated--",
      "standardError": "/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nfailed to run commands: exit status 1"
    }
  }
}
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] successfully sent reply message id: 30104615-d7cc-4428-a4ca-ffb807869dac
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [aeb48a17-5e94-4c8a-be85-ef64685132dc] Executer closed
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] execution of aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d is over. Removing interimState from current folder
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [aeb48a17-5e94-4c8a-be85-ef64685132dc] mast** listener stopped on path: /var/lib/amazon/ssm/i-0b1836a486824d20d/channels/aeb48a17-5e94-4c8a-be85-ef64685132dc
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel 0c3f8974-f99c-4cc7-8903-a23481a9acd3
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - 0c3f8974-f99c-4cc7-8903-a23481a9acd3
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 1219c4ea-3561-49ad-952a-5f3336a36f1e for message id 0c3f8974-f99c-4cc7-8903-a23481a9acd3
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 1219c4ea-3561-49ad-952a-5f3336a36f1e
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel 61b0e48d-417c-44b0-96d5-1e53236f95af
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - 61b0e48d-417c-44b0-96d5-1e53236f95af
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 2687a09b-afb7-46cc-bb13-8e85d4aa1d61 for message id 61b0e48d-417c-44b0-96d5-1e53236f95af
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 2687a09b-afb7-46cc-bb13-8e85d4aa1d61
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel c25083f2-6323-4a90-8c26-23677122c48f
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - c25083f2-6323-4a90-8c26-23677122c48f
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 30104615-d7cc-4428-a4ca-ffb807869dac for message id c25083f2-6323-4a90-8c26-23677122c48f
2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 30104615-d7cc-4428-a4ca-ffb807869dac```
asked a year ago743 views
4 Answers
0
Accepted Answer

By the way, just for let you know, this issue has gone on the Scannings starting from today, or, at least, I did realise just from today.

answered a year ago
0

The error message is related to a warning from the python library "urllib3" regarding unverified HTTPS requests. This is likely because the Python installation on the Ubuntu instances is missing the required certificates to verify the HTTPS connection. The error only occurs on the Ubuntu instances because the AmazonLinux instances likely have the necessary certificates installed.

To resolve this issue, you could try updating the CA certificates on the affected Ubuntu instances, which would allow them to verify the HTTPS connections. You can do this by running the following command:

sudo apt-get install ca-certificates

After the installation, restart the ssm-agent and run the Scan task again to verify if the error still occurs.

profile picture
answered a year ago
0

Thanks for the answer Divyam, I tried to install ca-certificates on one of the instances but it was already installed and at the last version.

Also tried to restart the ssm agent and to re-do the scan, but the result was the same.

answered a year ago
0

Hello, any other ideas? Is there any way to open an issue on the SSM agent project, or is there a dedicated project to the AWS-RunPatchBaseline Document ?

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions