Bug: sam local invoke throws exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: about aws-sam-cli HOT 10 OPEN

➜ test-project sam --info
{
"version": "1.109.0",
"system": {
"python": "3.12.2",
"os": "macOS-14.3-arm64-arm-64bit"
},
"additional_dependencies": {
"docker_engine": "20.10.21",
"aws_cdk": "Not available",
"terraform": "Not available"
},
"available_beta_feature_env_vars": [
"SAM_CLI_BETA_FEATURES",
"SAM_CLI_BETA_BUILD_PERFORMANCE",
"SAM_CLI_BETA_TERRAFORM_SUPPORT",
"SAM_CLI_BETA_RUST_CARGO_LAMBDA"
]
}

from aws-sam-cli.

Template.yaml:

AppFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: java17
Handler: uk.gov.dwp.coldweatherpay.weatherdatacapture.lambda.DailyLambdaHandler::handleRequest
Timeout: 60
MemorySize: 512
CodeUri: ./target/weather-data-capture-1.0.0.jar

from aws-sam-cli.

Hey @vamsikrishna507, does this network call succeed if you run your code outside of SAM CLI (and outside of a container)?

from aws-sam-cli.

Hello mildaniel,

Yes, It works outside of the container and even it works when i deploy the code in to aws environment and testing there

from aws-sam-cli.

This is blocking testing of lambda locally and please prioritise with workaround to continue

from aws-sam-cli.

Hi, is there a custom certificate that is suppose to be used to complete the API calls? If there is a custom certificate that is being used to call the API, then those aren't passed into the invoke container on it's own, and you may need to create a custom invoke image to use locally.

A workaround for this is to test on the cloud, using sam sync, you can synchronize any code changes to the cloud, and use sam remote invoke to invoke that function.

from aws-sam-cli.

Hello,

can you share a snippet of docker file to generate image locally using docker file and run it locally which can copy the certificate?

from aws-sam-cli.

If you have a certificate, you can create a Dockerfile based off the the existing Java 17 Lambda runtime image (public.ecr.aws/lambda/java:17) to copy the certificate into the image's key store so that it can be used. Depending on what certificate you have, you can use keytool to import the certificate. The Dockerfile would look something like this:

FROM public.ecr.aws/lambda/java:17

ADD your_certificate.crt /some/path/in/image
RUN keytool -importcert -file <the added cert> -storepass <password> -keystore <keystore name>

You'll have to upload the build Docker image somewhere (I used AWS ECR), and then use it with sam local invoke --invoke-image <url to uploaded image>.

Something worth noting is that you mentioned the network call works when it was deployed to AWS. Did you end up using or uploading your certificate somewhere in AWS?

from aws-sam-cli.

Hello,

Thanks for the details.
I didn't upload any certificate in AWS for running the lambda function but it worked

from aws-sam-cli.

Thanks for the response. Do other projects work when invoking in a container? You can use sam init to create a Java based hello world project that will perform a network call to get the machine's public facing IP address. When you have the hello world project, you can sam build and sam local invoke to see if the network call works.

from aws-sam-cli.