Symptoms

The deploy script is unable to build trust and fails with error:

Failed to authenticate with PrivX: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)

Circumstances

The PrivX instance is running in Amazon and the TLS certificate is provided by AWS CA (e.g. using AWS ALB).

Solution

  1. Prepend Amazon Root CA certificate to the trust achor certificate chain
  2. Run /opt/privx/scripts/init_nginx.sh update-trust /path/to/ca_chain.crt
  3. Restart PrivX service
  4. Redownload the deploy script