SSL validation failed for https://s3.zoneame.amazonaws.com/ [SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed (_ssl.c:749)
Solution 1
The issue here is not using proxy per se (AWS CLI allows this by setting e.g. HTTPS_PROXY environment variable) but the AWS CLI client not trusting proxy's certificate. Proxy's certificate might be self-signed, with your company set as CA (Certification Authority). AWS CLI client cannot find your company's CA root certificate in the local system's CA registry so it can't verify proxy's certificate and issues the CERTIFICATE_VERIFY_FAILED
error.
To fix this we can pass company's root certificate (e.g. company-root-ca.pem
) to AWS CLI client via --ca-bundle command parameter (or via AWS_CA_BUNDLE
environment variable or config file):
$ export HTTPS_PROXY=<host>:<port>
$ aws s3 ls --ca-bundle /path/to/company-root-ca.pem
Solution 2
$ export AWS_CA_BUNDLE="C:\Program Files\Amazon\AWSCLIV2\botocore/cacert.pem"
This will work !! Enjoy
Solution 3
Update proxy settings solve my problem in windows system.
Steps for window 10:
-
In the search bar located on the left-hand side of your taskbar, next to the Windows
-
From the search results listed, click on the one that matches what you're looking for like in our case "Proxy settings".
-
Click on Proxy (left side bottom)
Now run AWS cli command in CMD
crapsoul
Updated on January 18, 2022Comments
-
crapsoul over 2 years
When I run the command
aws s3 ls
I'm getting this error:SSL validation failed for https://s3.zonename.amazonaws.com/ [SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed (_ssl.c:749)
It work's fine with
--no-verify-ssl
How can I make it work with ssl verficication?
aws s3 ls --debug
log below:
Traceback (most recent call last): File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\urllib3\connect ionpool.py", line 594, in urlopen self._prepare_proxy(conn) File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\urllib3\connect ionpool.py", line 805, in _prepare_proxy conn.connect() File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\urllib3\connect ion.py", line 344, in connect ssl_context=context) File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\urllib3\util\ss l_.py", line 344, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=server_hostname) File "ssl.py", line 401, in wrap_socket File "ssl.py", line 808, in __init__ File "ssl.py", line 1061, in do_handshake File "ssl.py", line 683, in do_handshake ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c :749)
-
Jordan M over 2 yearsThis solved the problem for me. We use netskope which has its own certificates. I found a generic internal article with their paths, so maybe other corporate users have similar? I was trying to push a Docker container to AWS ECR but first needed to login in powershell: aws ecr get-login-password --region my-region --ca-bundle 'C:/somepath/somecert.pem' | docker login --username AWS --password-stdin some-repo.dkr.ecr.my-region.amazonaws.com
-
Jordan M over 2 yearsDidn't work for me
-
CodyF over 2 yearsThis worked for me. My necessary server exemption was: *.amazonaws.com;
-
Vadim over 2 yearsThanks. It works on Windows from Git Bush terminal (MINGW64) to connect with aws-saml (behind corporate firewall)