Amanda amlabel CURL error: SSL certificate problem when using S3 buckets

This one was fun.

Issue

The error presented when attempting to label S3 buckets for use by Amanda in a virtual tape changer configuration. The OS is Linux and the distribution, Gentoo.

The exact error encountered was

labeling tape in slot 1 (s3:myBucket/backupSet/0001/):
Reading label...
While trying to read tapestart header: CURL error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (CURLcode 60)
Reading the tape label failed:
    Error was Device error.

Cause

The error is related to curl’s desire to perform peer SSL certificate verification as a default. This is a “good thing” and requires minimal intervention to work around once an admin is aware of the issue.

Reference: http://curl.haxx.se/docs/sslcerts.html

Resolution

Gentoo centralizes a collection of CA certificate PEM files with the app-misc/ca-certificates package in portage. This should be installed as part of a normal Gentoo system, however, it is possible that a particular CA PEM may be absent. In this case, download the missing PEM file and place it in /etc/ssl/certs. Once this is done be sure to run the following command to update the local system certificate store:

update-ca-certificates

Tools for extracting Common CA PEM files from Mozilla projects and a standard PEM bundle can be found at: http://curl.haxx.se/docs/caextract.html