-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python module certifi==2015.9.6.2 is breaking the AWS CLI - SSL3_GET_SERVER_CERTIFICATE:certificate verify failed #1499
Comments
On the one hand, I quickly tested this one. I can not reproduce the error.
I dig deeper. AWS CLI does not directly use certifi, but one of the underlying 3rd party module named requests is aware of certifi. I wrote the following test script and ran it against all known S3 endpoints, after install certifi. Again, they are run well (you will see 404 error because bucket not exists, but it also means the SSL connection does work). Would you mind to run it on your box and see what will happen?
On the other hand, the root cause seems to be this relevant issue in certifi. There is not much we can do here from the AWS CLI side. I'll leave this issue open for a while, so that other people encounter same problem can refer to it. |
@rayluo check the version of OpenSSL you have installed and the version of Python. If they're new enough that issue probably doesn't affect you which is why you can't reproduce the issue. |
@rayluo I encountered the same issue, and the solution provided by @schhibber-bcs worked for me. |
@brianwebb01 Yes, downgrading certifi is a feasible workaround at this moment. By the way, as suggested by @sigmavirus24 at 2 posts above, I am sharing my version of OpenSSL and Python, for what its worth. These combination seemingly work fine for me.
|
@rayluo For reference, here are the versions where I experienced the issue and
|
I ran into the same issue and the workaround provided by @schhibber-bcs works for me as well.
|
I'm just catching up on this issue here. From reading the linked certifi issue, and I correct in saying that there's no actionable thing we can do on the AWS CLI side? If so, I'm inclined to close this issue. |
Summary for future reference:
There is not much aws-cli can do here. Agree to close this issue. |
I would say the best option that all of you have is to document a user's options. One option is to pin certifi, another is for them to create a wheel of cryptography that statically links to a recent enough version of OpenSSL and use |
Certifi downgrade fixed it for me. Close this issue. |
Ran into this same problem and spent awhile debugging it. The certifi issue is over here certifi/python-certifi#26 Is there anything that can be done on the awscli side to mitigate this? |
@ajmath Per @sigmavirus24's comment above, the best option we have is to document the options a user has. I think we can make sure that a plain install of AWS CLI works without user action, but if a user has also installed certifi in their python environment, I would be hesitant to override that behavior because they've presumably installed certifi because they want to use that cert bundle. |
@jamesls Thanks for the response. I was under the assumption that certifi was getting installed by awscli. After looking into it, I realized this is coming from salt-master. Unfortunately I need both tools. I'll continue conversation with the certifi and salt teams. |
We had a number of boxes boot up in the last couple days and upgrade the python module certifi to 2015.9.6.2
After the upgrade we started getting the following error when trying to run any commands against a SSL based endpoint: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
e.g.: aws s3 ls
[Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The following was our fix:
sudo pip uninstall certifi
sudo pip install certifi==2015.04.28
The text was updated successfully, but these errors were encountered: