SSL Validation Failed on Fresh Install (SSL: CERTIFICATE_VERIFY_FAILED)

[TheNathanBlake]

Describe the bug

After running aws configure on a fresh install, attempting a basic command such as aws s3 ls returns the following error:

SSL validation failed for https://s3.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

Expected Behavior

The s3 ls command should execute

Current Behavior

SSL validation failed for https://s3.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

Reproduction Steps

Install aws cli using the macOS steps in this guide: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Run aws configure using AWS access key, access key secret, and entering us-west-2 as domain

Run aws s3 ls

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.9.10 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off

Environment details (OS name and version, etc.)

OS: macOS Monterey 12.6 (21G115)

[tim-finnigan]

Hi @TheNathanBlake thanks for reaching out. There is a section on the SSL: CERTIFICATE_VERIFY_FAILED error in the AWS CLI troubleshooting guide. The possible causes it mentions there are either that the AWS CLI doesn't trust your proxy's certificate or your configuration isn't pointing to the correct CA root certificate location. Please refer to the troubleshooting steps to resolve this issue and let us know if you have any follow up questions.

[TheNathanBlake]

@tim-finnigan We're not using a proxy, and we have no certificate authority we're using in AWS. For all intents, this should be a fairly basic, non-certificate setup. Why would I need to go through setting up a certificate locally if there's not one already configured?

[Solodye]

To fix this, instruct the AWS CLI where to find your companies .pem file using the [ca_bundle](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-config-ca_bundle) configuration file setting, [--ca-bundle](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-options.html#cli-configure-options-ca-bundle) command line option, or the [AWS_CA_BUNDLE](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list-AWS_CA_BUNDLE) environment variable.

to find your companies .pem file?
@tim-finnigan Why you think every company should have this .pem file?

[Solodye]

I have similar issue, here is what I have tried.
AS***61 is my laptop name
a***g is my user name

Environment details:

ProductName:	macOS
ProductVersion:	12.5
BuildVersion:	21G72

Version:

aws-cli/2.9.11 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off

1. Using the .pem from Python3 lib - failed

AS***61:~ a***g$ python3 --version
Python 3.9.6
AS***61:~ a***g$ python3 -m certifi
/Users/a***g/Library/Python/3.9/lib/python/site-packages/certifi/cacert.pem
AS***61:~ a***g$ aws --ca-bundle /Users/a***g/Library/Python/3.9/lib/python/site-packages/certifi/cacert.pem  s3 ls

SSL validation failed for https://s3.ap-northeast-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

2. Using the .pem that installed within the AWS command line package - failed

AS***61:~ a***g$ aws --ca-bundle /usr/local/aws-cli/awscli/botocore/cacert.pem  s3 ls

SSL validation failed for https://s3.ap-northeast-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

3. Using the .pem that generated from AWS console - failed
   

AS***61:~ a***g$ aws --ca-bundle ~/aws_certificate/cert-VEO5FU2SUDBERYKUFSPFX3JE7AZRUHJU.pem s3 ls

SSL validation failed for https://s3.ap-northeast-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

4. Using the previous developer advice from PR - failed
   SSL CERTIFICATE_VERIFY_FAILED #1545 (comment)
   https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file#comment1118260_641396

AS***61:~ a***g$ openssl s_client -connect s3.ap-northeast-1.amazonaws.com:443 -showcerts </dev/null 2>/dev/null |  sed -n '/^-----BEGIN CERT/,/^-----END CERT/p' > mycert.pem
AS***61:~ a***g$ aws configure
AWS Access Key ID [****************6E3C]:
AWS Secret Access Key [****************2MGR]:
Default region name [ap-northeast-1]:
Default output format [json]:
AS***61:~ a***g$ aws --ca-bundle=/Users/a***g/mycert.pem  s3 ls

SSL validation failed for https://s3.ap-northeast-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)
AS***61:~ a***g$

---

Hi @tim-finnigan
Could you please review and provide some advices about

1. Are there any needed input or other work need to be done from my side to improve this situation?
2. If using aws cli need me to have more SSL and security knowledge, where can I study it?

[tim-finnigan]

Hello and thanks for following up here. I recommend reinstalling the AWS CLI per the recommended steps and confirming that a proxy isn't the issue. Then locate your certificate (for example python -m certifi) and set the path using using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_BUNDLE environment variable. For example: export AWS_CA_BUNDLE="path to cacert.pem"

The SSL: CERTIFICATE_VERIFY_FAILED error has been reported several times in previous issues, and in addition to #1545 referenced above I recommend looking through those issues for guidance if you're still having trouble. There are also several posts in Stack Overflow on this topic that might help.

[pschmeichel2]

In my case, ZScaler caused this error, I had to switch it off._