- Newest
- Most votes
- Most comments
If you are connecting through a corporate proxy, you may need to specify a CA certificate bundle.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
AWS_CA_BUNDLE
Specifies the path to a certificate bundle to use for HTTPS certificate validation.
If defined, this environment variable overrides the value for the profile setting ca_bundle. You can override this environment variable by using the --ca-bundle command line parameter.
It is not good practice to use the -no-verify-ssl, this worked for me !!
1 - In the browser click on certificate and export it to a local directory with the name for example "download_ca_aws.crt" : /etc/ssl/certs/download_ca_aws.crt
2 - in the .aws directory you have 2 files, config and credentials(if you don't have them, create them) with default profile, add the following:
config file:
[default]
region = us-east-1
ca_bundle = /etc/ssl/certs/download_ca_aws.crt
credentials file :
[default]
aws_access_key_id = MY_ACCESS_KEY
aws_secret_access_key = MY_SECRET_KEY
3 -check if it works with the following command from aws cli
aws sts get-caller-identity --profile default
Note: --profile is optional for the default profile.
if you want to use a non-default profile then create it:
configuratios file add:
[new_profile_name]
region = us-east-1
ca_bundle = /etc/ssl/certs/download_ca_aws.crt
in credentials file add :
[new_profile_name]
aws_access_key_id = MY_ACCESS_KEY
aws_secret_access_key = MY_SECRET_KEY
check if it works with the following command from aws cli:
aws sts get-caller-identity --profile new_profile_name
Now your connection is more secure!!
I was getting the below issue in the window os. when running this command in console "aws s3 ls --profile profile1". ssl validation failed for https://s3.ap-south-1.amazonaws.com/ [errno 2] no such file or directory.
I followed the below step and my issue got resolved. step-1. open the command prompt. step-2. set AWS_CA_BUNDLE=C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
Horray!.. done:)
This workaround fixed the AWS CLI SSL issue I had on my work laptop (MacOS).
-
Run -> curl https://ec2.${EC2_REGION}.amazonaws.com/ --verbose
-
Copy the existing cert path from the curl output.
- successfully set certificate verify locations:
- CAfile: /etc/ssl/cert.pem
-
Set the env variable -> export AWS_CA_BUNDLE=/etc/ssl/cert.pem
-
update the config file in ~/.aws/ [default] region = us-east-1 output = json ca_bundle = /etc/ssl/cert.pem
Original Post: https://github.com/aws/aws-cli/issues/2690#issuecomment-497856869
Relevant content
- asked 17 days ago
- asked 2 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
You could, and it may work. But do not, as it will bypass an essential mechanism to secure your connection: that the certificate is a valid one. See the most voted answer on importing a CA certificate bundle, in case you use a corporate proxy.