Skip to content

Instantly share code, notes, and snippets.

@nmarchini
Last active November 15, 2023 20:28
Show Gist options
  • Save nmarchini/6c03f083176f4424817aa725b6c9ac3a to your computer and use it in GitHub Desktop.
Save nmarchini/6c03f083176f4424817aa725b6c9ac3a to your computer and use it in GitHub Desktop.
AWS SSL Certificate issue --ca-bundle AWS_CA_BUNDLE
This gets around the issue seen below when trying to run AWS CLI commands. Some networking devices that intercept the traffic can act like a main in the middle so can cause this issue
$ aws s3 ls
SSL validation failed for https://s3.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)
There are a few ways to fix this, AWS docs say you can add the line for ca_bundle to the ~/.aws/config file but this didn't work for me as it was being overridden by a global environment variable.
[default]
region = eu-west-1
output = json
ca_bundle = path/to/ca-cert/cacert.pem
From a bash shell type the command below to see if you have an existing environment variable set
env | grep AWS_CA_BUNDLE
It there is nothing that comes back then try the config file fix above. If there is something set then you may need to override it by setting the variable to the point to the correct path
I did this with the following line in my .bash_profile file.
export AWS_CA_BUNDLE=/path/to/ca-cert/cacert.pem
Restart your shell and try the env command again, it should have been updated.
Then try the AWS commands again and they should work
References = https://docs.amazonaws.cn/en_us/cli/latest/userguide/cli-configure-files.html#cli-configure-files-global
@jboeshart
Copy link

jboeshart commented Nov 13, 2023

I just updated to 2.13.34 and it looks to be following the ca_bundle config file setting now. I don't see anything in the release notes though for any fix, so (shrug).

Strike that, looks like the certs must have been cached or something, as it's no longer honoring the config file and I've had to manually add the cert of our forward proxy to "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem" in order for it to work. Underlying issue still looks to be there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment