Skip to content

Instantly share code, notes, and snippets.

Last active November 15, 2023 20:28
Show Gist options
  • Save nmarchini/6c03f083176f4424817aa725b6c9ac3a to your computer and use it in GitHub Desktop.
Save nmarchini/6c03f083176f4424817aa725b6c9ac3a to your computer and use it in GitHub Desktop.
AWS SSL Certificate issue --ca-bundle AWS_CA_BUNDLE
This gets around the issue seen below when trying to run AWS CLI commands. Some networking devices that intercept the traffic can act like a main in the middle so can cause this issue
$ aws s3 ls
SSL validation failed for [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)
There are a few ways to fix this, AWS docs say you can add the line for ca_bundle to the ~/.aws/config file but this didn't work for me as it was being overridden by a global environment variable.
region = eu-west-1
output = json
ca_bundle = path/to/ca-cert/cacert.pem
From a bash shell type the command below to see if you have an existing environment variable set
env | grep AWS_CA_BUNDLE
It there is nothing that comes back then try the config file fix above. If there is something set then you may need to override it by setting the variable to the point to the correct path
I did this with the following line in my .bash_profile file.
export AWS_CA_BUNDLE=/path/to/ca-cert/cacert.pem
Restart your shell and try the env command again, it should have been updated.
Then try the AWS commands again and they should work
References =
Copy link

Fixed the ssl error for s3.

I recommend reinstalling the AWS CLI per the recommended steps and confirming that a proxy isn't the issue. Then locate your certificate (for example python -m certifi) and set the path using using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_BUNDLE environment variable. For example: export AWS_CA_BUNDLE="path to cacert.pem"

source - aws/aws-cli#7552 (comment)

I ran "python3 -m certi" it gave the path as "/usr/local/lib/python3.9/site-packages/certifi/cacert.pem"

Then I did
export AWS_CA_BUNDLE=/usr/local/lib/python3.9/site-packages/certifi/cacert.pem

this solved the issue.

Copy link

In case anyone stumbles on this gist through a Google search like I did, it appears there's currently a bug in the awscli where it's ignoring both the ca_bundle config file setting as well as the --ca-bundle command line parameter. The only way this appears to be working is by setting via environment variable. See the GitHub issue below for more information on the bug.


Copy link

denzhel commented Sep 21, 2023

Thanks @jboeshart ! your tip helped us a lot !

Copy link

jboeshart commented Nov 13, 2023

I just updated to 2.13.34 and it looks to be following the ca_bundle config file setting now. I don't see anything in the release notes though for any fix, so (shrug).

Strike that, looks like the certs must have been cached or something, as it's no longer honoring the config file and I've had to manually add the cert of our forward proxy to "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem" in order for it to work. Underlying issue still looks to be there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment