SSL CERTIFICATE_VERIFY_FAILED in aws cli

Question

I installed AWS CLI on the Windows server 2007 32bit.

aws --version
aws-cli/1.8.8 Python/2.7.9 Windows/2008Server 

I configure aws cli using keys

Once I run below command to test AWS S3, I get this SSL error:

aws s3 ls
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Please help to get rid of this basic error.

Answer 1

If you want to use SSL and not have to specify the --no-verify-ssl option, then you need to set the AWS_CA_BUNDLE environment variable. e.g from PowerShell:

setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

The PEM file is a saved copy of the root certificate for the AWS endpoint you are trying to connect to. To generate it, first export the certificate in DER format (For details on how to do this, see here). Then run the following command to convert to the PEM format:

openssl x509 -inform der -in "C:\Users\UserX\Documents\RootCert.der" -out RootCert.pem

If you are using Powershell and not bash, then you will need to first install openssl.

For a full list of environment variables supported by the AWS CLI, see here

Answer 2

use this option with your cmd "--no-verify-ssl"

Answer 3

Not sure if it's related to to the OP's issue, however, one of our devs had this issue this morning, turned out he was using Fiddler (on Windows), to debug other issues. After stopping Fiddler (which was intercepting https traffic), the issue was resolved.

Answer 4

I had the same issue on Windows 10. It happens to be due to the aws cli not reading the internet proxy setting from the Windows registry. Fixed same error by setting the environment variables HTTP_PROXY and HTTPS_PROXY to the corporate internet proxy. Hope it helps somebody!

Answer 5

Mine was resolved with:

pip install awscli --force-reinstall --upgrade

Answer 6

I ran into a similar issue on Mac OSX in the company/corporate network. If you don't know the proxy URL Get it from your company's network administrator and configure with the following commands.

Linux, macOS, or Unix

$ export HTTP_PROXY=http://proxy.example.com:1234
$ export HTTPS_PROXY=https://proxy.example.com:1234

Windows

$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234

More information

Answer 7

Problem most likely caused by corporate proxy. In my case I was running the commands on AWS CLI behind proxy server and was getting certificate error. So to get around this I added --no-verify-ssl flag. Though this is a bad idea, I used this as a temporary solution to get the job done until it is resolved by the network team.

Answer 8

I added the certificate to C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem and it resolved the problem.

Answer 9

My issue was our company's VPN. It worked after I disconnected from VPN

Answer 10

Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"

Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem

$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"

Answer 11

I believe this option would have been tried already but just putting it here for everyones reference:

when you have proxy added to your ec2 machines and it is in private subnet with a S3 vpc-endpoint attached. I was getting the same error.

Bypassing the proxy using no_proxy for the bucket as per : https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

didn't help me and was still failing with the same error.

the only catch here was we need to add endpoint url which is s3.ap-southeast-2.amazonaws.com as below and it worked for me:

export NO_PROXY=169.254.169.254,s3.ap-southeast-2.amazonaws.com

169.254.169.254 is used to access instance role credentials in my case.

Answer 12

I had a similar issue and solved it by setting the proxy as follows:

$ set HTTP_PROXY=http://proxy.example.com:1234

$ set HTTPS_PROXY=https://proxy.example.com:1234

Answer 13

AWS already posted a clean solution for this, here it is: Instead of hacking your system now the CLI supports you passing it a .pem file with the CA chain for it to communicate with your proxy:

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.

Answer 14

When you use a AWS CLI command, you receive a "[SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed" error message. This is caused by the AWS CLI not trusting your proxy's certificate due to factors such as your proxy's certificate being self-signed, with your company set as the Certification Authority (CA). This prevents the AWS CLI from finding your companies CA root certificate in the local CA registry.

To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.

Please refer https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

Answer 15

I agree with above answers, do the following

1- Remove your cli and install latest cli

2- check the certificate exist: C:\Program Files\Amazon\AWSCLIV2\botocore\cacert.pem

3- if it doesn't exist remove the cli and go to: C:\Program Files\ and remove Amazon

4- Install cli latest version it should work.

5- Try testing with your VPN connected

Answer 16

use the following option to overcome the ssl certification issue.

aws s3 ls --no-verify-ssl