Good solutions for amazon certificates? (computers have no internet access)

Question,

we have a company wide firewall that blocks all except certain IPs, is there a list for the amazon IPs for sg.upload now that shotgun uses amazon cloud for the data? our IT tried but the IPs keep changing? I’m not entirely sure but they said it was difficult to get a list that was consistent, is there a better way to whitelist the amazon IPs so that it can get the new SSL certificates?

We also hit this problem occasionally. This page contains a list of ips: Shotgun ecosystem – Shotgun Support
At the bottom is also a json file with the CDN IPs, which are dynamic.

I guess a good option is simply to automate the list import into the firewall. The ips will change, but you will be able to react quickly. We still haven’t done this, but should.

gotcha…

do you know of a way to figure out which certificate is out of date? we have a number of computers that don’t connect to the internet, and it would seem IT doesn’t want to whitelist IPs currently… Is there a way to figure out which certificate needs updating? i’ve tried manually adding literally every cert on the amazontrusted repository, and it still gives me SSL verification errors… specifically
image
this only started happening couple days ago… I’ve had it happen before and I just had to add
SFSRootCAG2.cer
and everything was fine… but it would seem it’s a different certificate that is now out of date…

I don’t know, really. Shotgun has a tool for checking connections to the shotgun network which might give you some insight.

This page might be useful too: Diagnosing performance issues with hosted Shotgun sites – Shotgun Support

Hi @Ross_Macaluso i don’t know if this is 100% related to this problem but i think this can help you CERTIFICATE_VERIFY_FAILED error on Windows

same error but i’ve already added all the certs Amazon Trust Services Repository must be missing one… this is a non-issue on the couple computers that do have full access to the internet they correctly get the missing cert so its not quite the same issue… it’s a self created problem because most of our computers have 0 outside internet access :frowning:

@mmoshev this looks promising hopefully the s3 test .py they have in that repo is exactly what I need to trace the missing cert… thanks man! going to try it later today