-
-
Save nmarchini/6c03f083176f4424817aa725b6c9ac3a to your computer and use it in GitHub Desktop.
| This gets around the issue seen below when trying to run AWS CLI commands. Some networking devices that intercept the traffic can act like a main in the middle so can cause this issue | |
| $ aws s3 ls | |
| SSL validation failed for https://s3.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076) | |
| There are a few ways to fix this, AWS docs say you can add the line for ca_bundle to the ~/.aws/config file but this didn't work for me as it was being overridden by a global environment variable. | |
| [default] | |
| region = eu-west-1 | |
| output = json | |
| ca_bundle = path/to/ca-cert/cacert.pem | |
| From a bash shell type the command below to see if you have an existing environment variable set | |
| env | grep AWS_CA_BUNDLE | |
| It there is nothing that comes back then try the config file fix above. If there is something set then you may need to override it by setting the variable to the point to the correct path | |
| I did this with the following line in my .bash_profile file. | |
| export AWS_CA_BUNDLE=/path/to/ca-cert/cacert.pem | |
| Restart your shell and try the env command again, it should have been updated. | |
| Then try the AWS commands again and they should work | |
| References = https://docs.amazonaws.cn/en_us/cli/latest/userguide/cli-configure-files.html#cli-configure-files-global |
In case anyone stumbles on this gist through a Google search like I did, it appears there's currently a bug in the awscli where it's ignoring both the ca_bundle config file setting as well as the --ca-bundle command line parameter. The only way this appears to be working is by setting via environment variable. See the GitHub issue below for more information on the bug.
Thanks @jboeshart ! your tip helped us a lot !
I just updated to 2.13.34 and it looks to be following the ca_bundle config file setting now. I don't see anything in the release notes though for any fix, so (shrug).
Strike that, looks like the certs must have been cached or something, as it's no longer honoring the config file and I've had to manually add the cert of our forward proxy to "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem" in order for it to work. Underlying issue still looks to be there.
Fixed the ssl error for s3.
I recommend reinstalling the AWS CLI per the recommended steps and confirming that a proxy isn't the issue. Then locate your certificate (for example python -m certifi) and set the path using using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_BUNDLE environment variable. For example: export AWS_CA_BUNDLE="path to cacert.pem"source - aws/aws-cli#7552 (comment)
I ran "python3 -m certi" it gave the path as "/usr/local/lib/python3.9/site-packages/certifi/cacert.pem"
Then I did
export AWS_CA_BUNDLE=/usr/local/lib/python3.9/site-packages/certifi/cacert.pem
this solved the issue.