This one was fun.
Issue
The error presented when attempting to label S3 buckets for use by Amanda in a virtual tape changer configuration. The OS is Linux and the distribution, Gentoo.
The exact error encountered was
labeling tape in slot 1 (s3:myBucket/backupSet/0001/):
Reading label...
While trying to read tapestart header: CURL error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (CURLcode 60)
Reading the tape label failed:
Error was Device error.
Cause
The error is related to curl’s desire to perform peer SSL certificate verification as a default. This is a “good thing” and requires minimal intervention to work around once an admin is aware of the issue.
Reference: http://curl.haxx.se/docs/sslcerts.html
Resolution
Gentoo centralizes a collection of CA certificate PEM files with the app-misc/ca-certificates package in portage. This should be installed as part of a normal Gentoo system, however, it is possible that a particular CA PEM may be absent. In this case, download the missing PEM file and place it in /etc/ssl/certs. Once this is done be sure to run the following command to update the local system certificate store:
update-ca-certificates
Tools for extracting Common CA PEM files from Mozilla projects and a standard PEM bundle can be found at: http://curl.haxx.se/docs/caextract.html