When I use python boto connect to aws ec2 , it show SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Question

I'm using Windows 10 OS.

I want to count the number of IP Address of AWS.

I use python 2.7.14 and boto 2.6.0

I add a file which name is boto.config locate C:\Users\Administrator folder

The content of the boto.config is:

[Credentials]

aws_access_key_id=******

aws_secret_access_key=*****

The script is :

#!/usr/bin/env python

# -*- encoding: utf8 -*-

import boto.ec2

from pprint import pprint

import ssh

import requests

import urllib3

import certifi

import ssl

conn = boto.ec2.connect_to_region('cn-north-1')

reservations = conn.get_all_instances()

InstanceMap=[]

for reservation in reservations:

    for instance in reservation.instances:

        if 'env' in instance.tags and instance.tags['env'] == 'test':

            InstanceMap.append(instance.ip_address)

f = open('F:\ip.txt','w')

pprint(InstanceMap, f)

When I run this script, it show the error formation:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

What's the method can I solve this problem ?

Answer 1

I was having same issue with boto3 and Python 3.7 on Windows 10 machine. As it turned out, since I was using corporate device with Proxy installed, *.amazonaws.com certificate was getting replaced by the Proxy certificate. This Proxy certificate chain needed to be trusted by Python certifi module. Whether or not, you have a proxy, below method should resolve SSL: CERTIFICATE_VERIFY_FAILED error.

Here is what I did, to resolve the issue -

1. Find the path where cacert.pem is located -

Install certifi, if you don't have. Command: pip install certifi

import certifi
certifi.where()
C:\\Users\\[UserID]\\AppData\\Local\\Programs\\Python\\Python37-32\\lib\\site-packages\\certifi\\cacert.pem

2. Set AWS_CA_BUNDLE environment variable to the cacert.pem path -

   AWS_CA_BUNDLE=C:\Users\[UserID]\AppData\Local\Programs\Python\Python37-32\Lib\site-packages\certifi\cacert.pem

3. Download the chain of certificates from amazonaws.com URL. For example: Go to https://sts.amazonaws.com/xyz on a browser and export Root, all the intermediate certificates, domain cert and save as base64 encoded .cer file. Open the certificates in notepad, copy all the contents.

4. Now open the cacert.pem in a notepad and just add every downloaded certificate contents (---Begin Certificate--- *** ---End Certificate---) at the end.

Restart the command line prompt or PowerShell, SSL verification error should be resolved.

Do not use is_secure = False in your organization's envrionments. This is essentially disabling SSL verification.

Answer 2

Try adding is_secure = False like below, in order to skip ssl verification,

conn = boto.ec2.connect_to_region('cn-north-1',is_secure=False)

Try providing the credentials as so, that way you would know if the keys in boto config are old if this works, and if this returns the same issue then you need to check your api-key and secret on aws.

API_KEY = 'Actual API_KEY'
API_SECRET = 'Actual Secret'
conn = boto.ec2.connect_to_region('us-east-2',aws_access_key_id=API_KEY,aws_secret_access_key=API_SECRET,is_secure=False)