This one was fun.
The error presented when attempting to label S3 buckets for use by Amanda in a virtual tape changer configuration. The OS is Linux and the distribution, Gentoo.
The exact error encountered was
labeling tape in slot 1 (s3:myBucket/backupSet/0001/): Reading label... While trying to read tapestart header: CURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (CURLcode 60) Reading the tape label failed: Error was Device error.
The error is related to curl’s desire to perform peer SSL certificate verification as a default. This is a “good thing” and requires minimal intervention to work around once an admin is aware of the issue.
Gentoo centralizes a collection of CA certificate PEM files with the app-misc/ca-certificates package in portage. This should be installed as part of a normal Gentoo system, however, it is possible that a particular CA PEM may be absent. In this case, download the missing PEM file and place it in /etc/ssl/certs. Once this is done be sure to run the following command to update the local system certificate store:
Tools for extracting Common CA PEM files from Mozilla projects and a standard PEM bundle can be found at: http://curl.haxx.se/docs/caextract.html