Hi Tim,
Thanks for continuing to look into this.
If it’s missing in current and recently replaced AMIs, it most definitely is a Wowza issue: the AMIs as packaged are broken, because SSL client connections cannot validate against the installed CA certificates. That’s been my point all along.
rpm -V reports that it was removed from the RPM as distributed by Amazon:
[ec2-user@ip-10-x-y-z tls]$ rpm -V ca-certificates-2010.63-3.7.amzn1.noarch
missing /etc/pki/tls/cert.pem
It’s also present in the (presumably) upstream Amazon Linux 2013.09 AMI. You can test the difference by doing the following on a Wowza AMI and an Amazon Linux AMI:
Wowza, before /etc/pki/tls/cert.pem is fixed:
$ wget [url]https://www.google.com/[/url]
--2013-10-17 18:55:23-- [url]https://www.google.com/[/url]
Resolving [url]www.google.com[/url] ([url]www.google.com[/url])... 74.125.20.103, 74.125.20.104, 74.125.20.105, ...
Connecting to [url]www.google.com[/url] ([url]www.google.com)|74.125.20.103|:443[/url]... connected.
ERROR: cannot verify [url]www.google.com's[/url] certificate, issued by ‘/C=US/O=Google Inc/CN=Google Internet Authority G2’:
Unable to locally verify the issuer's authority.
To connect to [url]www.google.com[/url] insecurely, use `--no-check-certificate'.
Amazon Linux, or Wowza with proper /etc/pki/tls/cert.pem:
$ wget [url]https://www.google.com/[/url]
--2013-10-17 18:57:31-- [url]https://www.google.com/[/url]
Resolving [url]www.google.com[/url] ([url]www.google.com[/url])... 173.194.33.179, 173.194.33.180, 173.194.33.176, ...
Connecting to [url]www.google.com[/url] ([url]www.google.com)|173.194.33.179|:443[/url]... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
[ <=> ] 18,626 --.-K/s in 0.006s
2013-10-17 18:57:31 (2.86 MB/s) - ‘index.html’ saved [18626]
Thanks,
Andy