By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSL validation failed on AWS CLI

0

I'm new to AWS and started learning recently. I installed AWS CLI and ran the first command >aws --version to which I get a reasonable response: aws-cli/2.13.13 Python/3.11.4 Windows/10 exe/AMD64 prompt/off now when I run the command: *>aws s3 ls I get this error: *SSL validation failed for https://s3.us-east-1.amazonaws.com/ [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4149)

I have understood that this is a certificate error - however if I copy paste the certificate from https://www.amazontrust.com/repository/AmazonRootCA1.pem and save it on my local machine and name it AmazonRootCA1.pem and run the command: aws configure set ca_bundle C:\certificates\AmazonRootCA1.pem; I get the error: SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1002)

Has anyone come across such an issue and resolved it? Kindly help.

  • Max Clements EXPERT
    8 months ago

    How did you install the AWS CLI? Can you also invoke the CLI in debug mode aws s3 ls --debug. This will output a verbose flow - but should yield information about where the CLI is looking for the CA Bundle.

Topics
Management & GovernanceSecurity, Identity, & ComplianceTraining and Certification
Tags
AWS Command Line InterfaceAWS Certificate ManagerTraining and Certification
Language
English
PR
asked 8 months ago12925 views
2 Answers
2

Are you using CLI on company VPN? Or do you have any proxies enabled?

There are couple of things you can try:

  • Force Upgrade:

          pip install awscli --force-reinstall --upgrade

  • Setup the proxy: If there are any proxies that you/your org has, then set them in the environment or set bogus proxy:

             export HTTP_PROXY=http://proxy.foobar.com:1234
         export HTTPS_PROXY=https://proxy.foobar.com:1234

  • Try adding ca-bundle cert in your environment variable(It may be available at /data/ca-certs/ca-bundle.pem):

            export AWS_CA_BUNDLE="<ca bundle cert location>"

Please refer Troubleshoot AWS CLI errors: SSL certificate errors.

Enter image description here

Hope this helps.

Comment here if you have additional questions, happy to help further.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
  • secondabhi_aws EXPERT
    8 months ago

    Do you have any additional questions, happy to help.

0

The above steps did not resolve the issue. Here is the debug log:

2023-12-07 21:12:40,541 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (3): s3.us-east-1.amazonaws.com:443 2023-12-07 21:12:40,627 - MainThread - botocore.endpoint - DEBUG - Exception received when sending HTTP request. Traceback (most recent call last): File "urllib3\connectionpool.py", line 703, in urlopen File "urllib3\connectionpool.py", line 386, in make_request File "urllib3\connectionpool.py", line 1040, in validate_conn File "urllib3\connection.py", line 414, in connect File "urllib3\util\ssl.py", line 449, in ssl_wrap_socket File "urllib3\util\ssl.py", line 493, in _ssl_wrap_socket_impl File "ssl.py", line 500, in wrap_socket File "ssl.py", line 1040, in _create File "ssl.py", line 1309, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "awscli\botocore\httpsession.py", line 346, in send File "urllib3\connectionpool.py", line 785, in urlopen File "urllib3\util\retry.py", line 525, in increment File "urllib3\packages\six.py", line 769, in reraise File "urllib3\connectionpool.py", line 703, in urlopen File "urllib3\connectionpool.py", line 386, in make_request File "urllib3\connectionpool.py", line 1040, in validate_conn File "urllib3\connection.py", line 414, in connect File "urllib3\util\ssl.py", line 449, in ssl_wrap_socket File "urllib3\util\ssl.py", line 493, in _ssl_wrap_socket_impl File "ssl.py", line 500, in wrap_socket File "ssl.py", line 1040, in _create File "ssl.py", line 1309, in do_handshake urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "awscli\clidriver.py", line 459, in main File "awscli\customizations\commands.py", line 197, in call File "awscli\customizations\commands.py", line 191, in call File "awscli\customizations\s3\subcommands.py", line 505, in _run_main File "awscli\customizations\s3\subcommands.py", line 570, in _list_all_buckets File "awscli\botocore\client.py", line 285, in _api_call File "awscli\botocore\client.py", line 601, in _make_api_call File "awscli\botocore\client.py", line 621, in _make_request File "awscli\botocore\endpoint.py", line 103, in make_request File "awscli\botocore\endpoint.py", line 157, in _send_request File "awscli\botocore\endpoint.py", line 201, in _do_get_response File "awscli\botocore\endpoint.py", line 273, in _send File "awscli\botocore\httpsession.py", line 373, in send botocore.exceptions.SSLError: SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)

SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)

Bala Venkat
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content