how to resolve [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate with Polly endpoint

Question

Hello,

I am trying to resolve the dreaded SSL Certificate error:

....[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

when trying to validate a Polly endpoint, such as: https://polly.us-east-1.amazonaws.com/v1/speech

I am doing this in the CLI

The errors are: 
-- https://polly.us-east-1.amazonaws.com/v1/lexicons/awsLexicon [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

--https://polly.us-east-1.amazonaws.com/v1/lexicons/awsLexicon [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)

Among my steps tried so far was to update the certificate: @ CLI   -> pip install certifi
I verified in site-packages/certifi that 'cacert' is present

I'm sure I am missing some step(s). Can anyone see what I should do next?

Answer

If you are connecting through a corporate proxy, you may need to specify a CA certificate bundle.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
> **AWS_CA_BUNDLE**  
> Specifies the path to a certificate bundle to use for HTTPS certificate validation.  
> If defined, this environment variable overrides the value for the profile setting ca_bundle. You can override this environment variable by using the --ca-bundle command line parameter.

Answer

It is not good practice to use the -no-verify-ssl, this worked for me !!

1 - In the browser click on certificate and export it to a local directory with the name for example "download_ca_aws.crt" : 
    /etc/ssl/certs/download_ca_aws.crt

2 - in the .aws directory you have 2 files, config and credentials(if you don't have them, create them) with default profile, add the following:

config file:

[default]

region = us-east-1

ca_bundle = /etc/ssl/certs/download_ca_aws.crt

credentials file :

[default]

aws_access_key_id = MY_ACCESS_KEY

aws_secret_access_key = MY_SECRET_KEY

3 -check if it works with the following command from aws cli

aws sts get-caller-identity --profile default

Note: --profile is optional for the default profile.

if you want to use a non-default profile then create it:

configuratios file add:

[new_profile_name]

region = us-east-1

ca_bundle = /etc/ssl/certs/download_ca_aws.crt

in credentials file add :

[new_profile_name]

aws_access_key_id = MY_ACCESS_KEY

aws_secret_access_key = MY_SECRET_KEY

check if it works with the following command from aws cli:  
 
  aws sts get-caller-identity --profile new_profile_name

Now your connection is more secure!!

Answer

You could try by adding --no-verify-ssl  to the end of CLI

Answer

I was getting the below issue in the window os. when running this command in console "aws s3 ls --profile profile1".
ssl validation failed for https://s3.ap-south-1.amazonaws.com/ [errno 2] no such file or directory.

I followed the below step and my issue got resolved.
step-1. open the command prompt.
step-2. set AWS_CA_BUNDLE=C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem

Horray!.. done:)

Answer

This workaround fixed the AWS CLI SSL issue I had on my work laptop (MacOS).

1. Run -> 
	curl https://ec2.${EC2_REGION}.amazonaws.com/ --verbose

2. Copy the existing cert path from the curl output.
	* successfully set certificate verify locations:
	*   CAfile: /etc/ssl/cert.pem

3. Set the env variable -> 
	export AWS_CA_BUNDLE=/etc/ssl/cert.pem

4. update the config file in ~/.aws/
	[default]
	region = us-east-1
	output = json
	ca_bundle = /etc/ssl/cert.pem

Original Post: https://github.com/aws/aws-cli/issues/2690#issuecomment-497856869

how to resolve [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate with Polly endpoint

Relevanter Inhalt