SSL CERTIFICATE_VERIFY_FAILED in aws cli

Question

I installed AWS CLI on the Windows server 2007 32bit.

aws --version
aws-cli/1.8.8 Python/2.7.9 Windows/2008Server

I configure aws cli using keys

Once I run below command to test AWS S3, I get this SSL error:

aws s3 ls
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Please help to get rid of this basic error.

score 59 · Answer 1 · answered Mar 12 '19 at 08:32

59

If you want to use SSL and not have to specify the --no-verify-ssl option, then you need to set the AWS_CA_BUNDLE environment variable. e.g from PowerShell:

setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

The PEM file is a saved copy of the root certificate for the AWS endpoint you are trying to connect to. To generate it, first export the certificate in DER format (For details on how to do this, see here). Then run the following command to convert to the PEM format:

openssl x509 -inform der -in "C:\Users\UserX\Documents\RootCert.der" -out RootCert.pem

If you are using Powershell and not bash, then you will need to first install openssl.

For a full list of environment variables supported by the AWS CLI, see here

answered Mar 12 '19 at 08:32

Xcalibur

3,613
2
32
26

7

This is it: don't use --no-verify-ssl as it's unsafe, better trust your local network root certificate. – birdypme Aug 01 '19 at 09:47
It worked with --no-verify-ssl for me, but not with --ca-bundle. The GUI for my s3 repository is https:///_/s3brower, so I tried to export the certificate with : `openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM > MyRootCertificate.pem` Did I do something wrong ? – Manur Aug 24 '20 at 15:33
2

Replying to my own comment : Warning: I got a list of certificates. **This command only export the first certificate of the list** to .pem format. In my case, it was the last certificate of the list that worked. I had to extract it manually to put it alone in a file before converting it to pem. – Manur Aug 24 '20 at 15:47
1

This *is* the solution. I was getting a similar error when connecting from my corporate network and accessing AWS services and getting Python to update the Certifi package. Add these environment variables: AWS_CA_BUNDLE and REQUESTS_CA_BUNDLE – c121hains Apr 27 '21 at 00:00

score 35 · Answer 2 · edited Jun 18 '23 at 23:55

35

use this option with your cmd:

--no-verify-ssl

edited Jun 18 '23 at 23:55

desertnaut

57,590
26
140
166

answered Sep 23 '17 at 07:36

dipt

827
9
14

34

Using --no-verify-ssl is unsafe. This usually comes from security considerations by the network team in corporate environment, in which case trusing the root certificate is much better. See @Xcalibur 's answer. – birdypme Aug 01 '19 at 09:48
1

This suggestion totally undermines the security provided by SSL... don't use this. – Miroslav Karpíšek Sep 23 '22 at 09:27
1

Disabling ssl is never a good idea. Should be used only under extreme necessity. – HFSDev Sep 23 '22 at 13:38

score 23 · Answer 3 · answered Nov 09 '16 at 23:13

23

Not sure if it's related to to the OP's issue, however, one of our devs had this issue this morning, turned out he was using Fiddler (on Windows), to debug other issues. After stopping Fiddler (which was intercepting https traffic), the issue was resolved.

answered Nov 09 '16 at 23:13

mlo55

6,663
6
33
26

1

If you have setup some kind of Mitm proxy (ex: Charles Proxy) on your development machine, don't forget to close it as well! – pregenRobot Mar 09 '21 at 09:14
1

Life saver 7 years later! – Urik May 15 '23 at 09:21

score 6 · Answer 4 · answered Feb 19 '18 at 21:28

6

I had the same issue on Windows 10. It happens to be due to the aws cli not reading the internet proxy setting from the Windows registry. Fixed same error by setting the environment variables HTTP_PROXY and HTTPS_PROXY to the corporate internet proxy. Hope it helps somebody!

answered Feb 19 '18 at 21:28

Eugene Komisarenko

1,533
11
25

1

How and where did you do that? – Rohit Singh Mar 03 '22 at 21:47
Thank you so much. It is the issue I have faced. Your PC must be connected to the internet without any proxy in order to prevent this error. – Ramin Ar Aug 09 '22 at 12:38

score 6 · Answer 5 · edited Jan 14 '22 at 14:29

6

I added the certificate to C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem and it resolved the problem.

edited Jan 14 '22 at 14:29

Community

1
1

answered Jul 16 '20 at 16:33

shashi

929
9
16

2

which certificate? – Ankit Jain Sep 20 '21 at 08:30
1

If you're in the corporate environment it will be the cert provided by your it team to add your proxy (that inspects you traffic). SSL connections will complain that your proxy is acting as a MITM unless you add its cert to the chain. – jpmorris Dec 01 '21 at 18:43

score 5 · Answer 6 · answered Dec 12 '18 at 15:51

5

Mine was resolved with:

pip install awscli --force-reinstall --upgrade

answered Dec 12 '18 at 15:51

Zaur

431
4
5

2

I cannot do this, because the pip SSL has the same problem :( – MikeF Jul 20 '21 at 15:28
2

@MikeF either your local certificates are old (e.g ubuntu updates them by:update-ca-certificates) OR your company is using tools like Netscope to track your activity. Such tools use custom certificates and traffic goes via the local proxy. You need to create a ticket with Security team to update their local certificates. – Zaur Jul 21 '21 at 16:06

score 3 · Answer 7 · answered Feb 26 '19 at 22:28

3

I ran into a similar issue on Mac OSX in the company/corporate network. If you don't know the proxy URL Get it from your company's network administrator and configure with the following commands.

Linux, macOS, or Unix

$ export HTTP_PROXY=http://proxy.example.com:1234
$ export HTTPS_PROXY=https://proxy.example.com:1234

Windows

$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234

More information

answered Feb 26 '19 at 22:28

Lahar Shah

7,032
4
31
39

did not work for me, I have no choice than --no-verify-ssl – Chau Giang Aug 07 '19 at 12:09

score 2 · Answer 8 · answered Sep 17 '21 at 20:30

2

My issue was our company's VPN. It worked after I disconnected from VPN

answered Sep 17 '21 at 20:30

Evgeny Urubkov

83
1
5

Peters Kings Monday · Answer 9 · 2022-02-17T08:59:48.340

2

Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"

Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem

$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"

edited Feb 17 '22 at 08:59

answered Jan 19 '22 at 13:15

Peters Kings Monday

39
3

4

Your answer can be improved by explaining (1) what the commands do, (2) referencing to documentation that supports your answer, (3) properly formatting code snippets – st.huber Jan 24 '22 at 14:10

score 2 · Answer 10 · answered Jan 22 '22 at 23:35

AWS already posted a clean solution for this, here it is: Instead of hacking your system now the CLI supports you passing it a .pem file with the CA chain for it to communicate with your proxy:

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.

score 1 · Answer 11 · answered Feb 05 '20 at 01:28

I believe this option would have been tried already but just putting it here for everyones reference:

when you have proxy added to your ec2 machines and it is in private subnet with a S3 vpc-endpoint attached. I was getting the same error.

Bypassing the proxy using no_proxy for the bucket as per : https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

didn't help me and was still failing with the same error.

the only catch here was we need to add endpoint url which is s3.ap-southeast-2.amazonaws.com as below and it worked for me:

export NO_PROXY=169.254.169.254,s3.ap-southeast-2.amazonaws.com

169.254.169.254 is used to access instance role credentials in my case.

score 0 · Answer 12 · edited Mar 14 '20 at 19:23

0

I had a similar issue and solved it by setting the proxy as follows:

$ set HTTP_PROXY=http://proxy.example.com:1234

$ set HTTPS_PROXY=https://proxy.example.com:1234

edited Mar 14 '20 at 19:23

Kate Orlova

3,225
5
11
35

answered Mar 14 '20 at 16:02

subbanarasa reddy

1
2

score 0 · Answer 13 · answered Mar 27 '22 at 19:17

When you use a AWS CLI command, you receive a "[SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed" error message. This is caused by the AWS CLI not trusting your proxy's certificate due to factors such as your proxy's certificate being self-signed, with your company set as the Certification Authority (CA). This prevents the AWS CLI from finding your companies CA root certificate in the local CA registry.

To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.

Please refer https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

score 0 · Answer 14 · answered Nov 25 '22 at 07:03

0

For me ec2 instance date was incorrect, after changing the date and time, fixed the problem. Simply rebooted the ec2 instance

answered Nov 25 '22 at 07:03

rubal islam

339
3
5

score 0 · Answer 15 · answered Apr 27 '23 at 07:59

0

I'm on a corporate computer. What worked for me in VSC is to set the proxy- support from "override" to "off".

answered Apr 27 '23 at 07:59

Maxime

1

score 0 · Answer 16 · answered May 10 '23 at 18:19

Fixed the ssl error for s3.

I recommend reinstalling the AWS CLI per the recommended steps and confirming that a proxy isn't the issue. Then locate your certificate (for example python -m certifi) and set the path using using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_BUNDLE environment variable. For example: export AWS_CA_BUNDLE="path to cacert.pem"

source - https://github.com/aws/aws-cli/issues/7552#issuecomment-1368027096

I ran "python3 -m certi" it gave the path as "/usr/local/lib/python3.9/site-packages/certifi/cacert.pem"

Then I did export AWS_CA_BUNDLE=/usr/local/lib/python3.9/site-packages/certifi/cacert.pem

this solved the issue.

score 0 · Answer 17 · answered Jun 20 '23 at 10:08

I was getting the below issue in the window os. when running this command in console "aws s3 ls --profile profile1". ssl validation failed for https://s3.ap-south-1.amazonaws.com/ [errno 2] no such file or directory.

I followed the below step and my issue got resolved. step-1. open the command prompt. step-2. set AWS_CA_BUNDLE=C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem

Horray!.. done:)

Vishwa · Answer 18 · 2019-07-31T12:49:49.180

-1

Problem most likely caused by corporate proxy. In my case I was running the commands on AWS CLI behind proxy server and was getting certificate error. So to get around this I added --no-verify-ssl flag. Though this is a bad idea, I used this as a temporary solution to get the job done until it is resolved by the network team.

edited Jul 31 '19 at 12:49

answered Jul 31 '19 at 12:43

Vishwa

300
5
16

score -1 · Answer 19 · answered Jan 24 '23 at 13:43

-1

aws configure set default.ca_bundle <your CA file>

answered Jan 24 '23 at 13:43

Guillain

9
1

score -1 · Answer 20 · answered Mar 24 '23 at 15:17

-1

Install Linux Subsystem and try... Solved for me.

answered Mar 24 '23 at 15:17

Stojan Gašić Brieva

1

score -1 · Answer 21 · edited Apr 24 '23 at 06:35

-1

This command works with out any issues. I was getting the same issue https://iam.amazonaws.com/

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)

I'm able to proceed with this command eg:

aws iam list-users "--no-verify-ssl"

edited Apr 24 '23 at 06:35

Aziza Kasenova

1,501
2
10
22

answered Apr 20 '23 at 05:29

Arvind K

11
2

score -2 · Answer 22 · answered Apr 11 '23 at 15:28

-2

Potentially this could be because AWS private keys were exposed.

Update to the latest version of AWS CLI from here to resolve this issue. https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

answered Apr 11 '23 at 15:28

Lovelin B

60
3

score -4 · Answer 23 · answered Jan 21 '21 at 22:11

I agree with above answers, do the following

1- Remove your cli and install latest cli

2- check the certificate exist: C:\Program Files\Amazon\AWSCLIV2\botocore\cacert.pem

3- if it doesn't exist remove the cli and go to: C:\Program Files\ and remove Amazon

4- Install cli latest version it should work.

5- Try testing with your VPN connected

score -6 · Answer 24 · answered Feb 13 '19 at 01:44

-6

use the following option to overcome the ssl certification issue.

aws s3 ls --no-verify-ssl

answered Feb 13 '19 at 01:44

Gowthaman

23
1

I used `aws s3 ls help` to see the format, and there is no option that you mentioned, but somehow it works to bypass SSL certificate verification. – Alexander Ryzhov Feb 13 '19 at 02:08
2

Although this might make the error go away, disabling ssl verification is almost always a *very* bad thing to do. Instead, try to find and fix the reason that it failed (such as missing certificate files). – Travis Britz Feb 13 '19 at 02:36

SSL CERTIFICATE_VERIFY_FAILED in aws cli

24 Answers24

Linux, macOS, or Unix

Windows

Linked

Related