11

The below code is for getting the regions.

import boto3
ec2 = boto3.client('ec2', 'region-name')
print(ec2.describe_regions())

On executing this code on my machine, I'm getting this error.

botocore.exceptions.SSLError: SSL validation failed for https://ec2.region-name.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

I am running this code on Windows 10 machine with VS code as my editor. I looked for other answers where they required to install Install Certificates.command file. However, looks like it is found on macOS only.

Can someone tell me the reason for this issue as well?

Also, last week got a notification from AWS that they are updating all their AWS FIPS endpoints to TLS 1.2 and hence need to connect to TLS version 1.2 FIPS endpoints. I checked my TLS version here. It says I have TLS version 1.2. Is there anything related to this? Because prior to this notification, my script was running perfectly.

Please someone tell the reason for this error and possible correction. Also, correct me if I mentioned something wrong with my understanding.

shreyaskar
  • 375
  • 1
  • 3
  • 14

3 Answers3

15

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate is because Python ssl library can't find certificates on your local machine to verify against.

One way to debug is to see if you have your ca_bundle set to something else:

python -c "from botocore.session import Session; print(Session().get_config_variable('ca_bundle'))"

If it doesn't print anything, then it uses default path. You can check default path by:

python -c "import ssl; print(ssl.get_default_verify_paths())"

If ca_bundle prints something, then it's set by AWS_CA_BUNDLE environment variable or by aws configure set default.ca_bundle <some path> in the past. Also check ~/.aws/config if you accidentally setting it there (config file location for Windows: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

Install Certificates.command is basically a Python script that you can run yourself https://gist.github.com/marschhuynh/31c9375fc34a3e20c2d3b9eb8131d8f3 . Save as install-cert.py and run it python install-cert.py

cakraww
  • 2,493
  • 28
  • 30
1

Maybe an edge case, but I was having this issue sending requests to a docker container, and the fix for me was hitting the docker container at http://localhost:8000 instead of https://localhost:8000 since the container couldn't receive SSL requests. Hopefully that helps anyone in this particular situation!

Allen N
  • 59
  • 4
0
import boto3    

from urllib3.exceptions import InsecureRequestWarning    
from urllib3 import disable_warnings    
disable_warnings(InsecureRequestWarning)

session = boto3.Session(profile_name='dev')    
client = session.client('ec2', verify=False)
user8138412
  • 1
  • 1
  • 3
    Remember that Stack Overflow isn't just intended to solve the immediate problem, but also to help future readers find solutions to similar problems, which requires understanding the underlying code. This is especially important for members of our community who are beginners, and not familiar with the syntax. Given that, **can you [edit] your answer to include an explanation of what you're doing** and why you believe it is the best approach? – Jeremy Caney Apr 05 '23 at 00:42