SSL CERTIFICATE_VERIFY_FAILED in aws cli - amazon-web-services

I installed AWS CLI on the Windows server 2007 32bit.
aws --version
aws-cli/1.8.8 Python/2.7.9 Windows/2008Server
I configure aws cli using keys
Once I run below command to test AWS S3, I get this SSL error:
aws s3 ls
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Please help to get rid of this basic error.

If you want to use SSL and not have to specify the --no-verify-ssl option, then you need to set the AWS_CA_BUNDLE environment variable. e.g from PowerShell:
setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"
The PEM file is a saved copy of the root certificate for the AWS endpoint you are trying to connect to. To generate it, first export the certificate in DER format (For details on how to do this, see here). Then run the following command to convert to the PEM format:
openssl x509 -inform der -in "C:\Users\UserX\Documents\RootCert.der" -out RootCert.pem
If you are using Powershell and not bash, then you will need to first install openssl.
For a full list of environment variables supported by the AWS CLI, see here

use this option with your cmd
"--no-verify-ssl"

Not sure if it's related to to the OP's issue, however, one of our devs had this issue this morning, turned out he was using Fiddler (on Windows), to debug other issues. After stopping Fiddler (which was intercepting https traffic), the issue was resolved.

I had the same issue on Windows 10. It happens to be due to the aws cli not reading the internet proxy setting from the Windows registry. Fixed same error by setting the environment variables HTTP_PROXY and HTTPS_PROXY to the corporate internet proxy. Hope it helps somebody!

Mine was resolved with:
pip install awscli --force-reinstall --upgrade

I ran into a similar issue on Mac OSX in the company/corporate network.
If you don't know the proxy URL Get it from your company's network administrator and configure with the following commands.
Linux, macOS, or Unix
$ export HTTP_PROXY=http://proxy.example.com:1234
$ export HTTPS_PROXY=https://proxy.example.com:1234
Windows
$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234
More information

I added the certificate to C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem and it resolved the problem.

My issue was our company's VPN. It worked after I disconnected from VPN

AWS already posted a clean solution for this, here it is:
Instead of hacking your system now the CLI supports you passing it a .pem file with the CA chain for it to communicate with your proxy:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed
To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.

Problem most likely caused by corporate proxy. In my case I was running the commands on AWS CLI behind proxy server and was getting certificate error.
So to get around this I added --no-verify-ssl flag. Though this is a bad idea, I used this as a temporary solution to get the job done until it is resolved by the network team.

I believe this option would have been tried already but just putting it here for everyones reference:
when you have proxy added to your ec2 machines and it is in private subnet with a S3 vpc-endpoint attached. I was getting the same error.
Bypassing the proxy using no_proxy for the bucket as per : https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
didn't help me and was still failing with the same error.
the only catch here was we need to add endpoint url which is s3.ap-southeast-2.amazonaws.com as below and it worked for me:
export NO_PROXY=169.254.169.254,s3.ap-southeast-2.amazonaws.com
169.254.169.254 is used to access instance role credentials in my case.

I had a similar issue and solved it by setting the proxy as follows:
$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234

Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"
Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem
$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"

For me ec2 instance date was incorrect, after changing the date and time, fixed the problem.
Simply rebooted the ec2 instance

When you use a AWS CLI command, you receive a "[SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed" error message. This is caused by the AWS CLI not trusting your proxy's certificate due to factors such as your proxy's certificate being self-signed, with your company set as the Certification Authority (CA). This prevents the AWS CLI from finding your companies CA root certificate in the local CA registry.
To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.
Please refer https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed

aws configure set default.ca_bundle <your CA file>

I agree with above answers, do the following
1- Remove your cli and install latest cli
2- check the certificate exist: C:\Program Files\Amazon\AWSCLIV2\botocore\cacert.pem
3- if it doesn't exist remove the cli and go to: C:\Program Files\ and remove Amazon
4- Install cli latest version it should work.
5- Try testing with your VPN connected

use the following option to overcome the ssl certification issue.
aws s3 ls --no-verify-ssl

Related

After upgrading AWSCLIV2, aws-cli broke [duplicate]

I installed AWS CLI on the Windows server 2007 32bit.
aws --version
aws-cli/1.8.8 Python/2.7.9 Windows/2008Server
I configure aws cli using keys
Once I run below command to test AWS S3, I get this SSL error:
aws s3 ls
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Please help to get rid of this basic error.
If you want to use SSL and not have to specify the --no-verify-ssl option, then you need to set the AWS_CA_BUNDLE environment variable. e.g from PowerShell:
setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"
The PEM file is a saved copy of the root certificate for the AWS endpoint you are trying to connect to. To generate it, first export the certificate in DER format (For details on how to do this, see here). Then run the following command to convert to the PEM format:
openssl x509 -inform der -in "C:\Users\UserX\Documents\RootCert.der" -out RootCert.pem
If you are using Powershell and not bash, then you will need to first install openssl.
For a full list of environment variables supported by the AWS CLI, see here
use this option with your cmd
"--no-verify-ssl"
Not sure if it's related to to the OP's issue, however, one of our devs had this issue this morning, turned out he was using Fiddler (on Windows), to debug other issues. After stopping Fiddler (which was intercepting https traffic), the issue was resolved.
I had the same issue on Windows 10. It happens to be due to the aws cli not reading the internet proxy setting from the Windows registry. Fixed same error by setting the environment variables HTTP_PROXY and HTTPS_PROXY to the corporate internet proxy. Hope it helps somebody!
Mine was resolved with:
pip install awscli --force-reinstall --upgrade
I ran into a similar issue on Mac OSX in the company/corporate network.
If you don't know the proxy URL Get it from your company's network administrator and configure with the following commands.
Linux, macOS, or Unix
$ export HTTP_PROXY=http://proxy.example.com:1234
$ export HTTPS_PROXY=https://proxy.example.com:1234
Windows
$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234
More information
I added the certificate to C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem and it resolved the problem.
My issue was our company's VPN. It worked after I disconnected from VPN
AWS already posted a clean solution for this, here it is:
Instead of hacking your system now the CLI supports you passing it a .pem file with the CA chain for it to communicate with your proxy:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed
To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.
Problem most likely caused by corporate proxy. In my case I was running the commands on AWS CLI behind proxy server and was getting certificate error.
So to get around this I added --no-verify-ssl flag. Though this is a bad idea, I used this as a temporary solution to get the job done until it is resolved by the network team.
I believe this option would have been tried already but just putting it here for everyones reference:
when you have proxy added to your ec2 machines and it is in private subnet with a S3 vpc-endpoint attached. I was getting the same error.
Bypassing the proxy using no_proxy for the bucket as per : https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
didn't help me and was still failing with the same error.
the only catch here was we need to add endpoint url which is s3.ap-southeast-2.amazonaws.com as below and it worked for me:
export NO_PROXY=169.254.169.254,s3.ap-southeast-2.amazonaws.com
169.254.169.254 is used to access instance role credentials in my case.
I had a similar issue and solved it by setting the proxy as follows:
$ set HTTP_PROXY=http://proxy.example.com:1234
$ set HTTPS_PROXY=https://proxy.example.com:1234
Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"
Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem
$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"
For me ec2 instance date was incorrect, after changing the date and time, fixed the problem.
Simply rebooted the ec2 instance
When you use a AWS CLI command, you receive a "[SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed" error message. This is caused by the AWS CLI not trusting your proxy's certificate due to factors such as your proxy's certificate being self-signed, with your company set as the Certification Authority (CA). This prevents the AWS CLI from finding your companies CA root certificate in the local CA registry.
To fix this, instruct the AWS CLI where to find your companies .pem file using the ca_bundle configuration file setting, --ca-bundle command line option, or the AWS_CA_Bundle environment variable.
Please refer https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-certificate-verify-failed
aws configure set default.ca_bundle <your CA file>
I agree with above answers, do the following
1- Remove your cli and install latest cli
2- check the certificate exist: C:\Program Files\Amazon\AWSCLIV2\botocore\cacert.pem
3- if it doesn't exist remove the cli and go to: C:\Program Files\ and remove Amazon
4- Install cli latest version it should work.
5- Try testing with your VPN connected
use the following option to overcome the ssl certification issue.
aws s3 ls --no-verify-ssl

AWS lightsail CLI command put-instance-public-ports doesn't work

So I'm trying to update firewall rules for my ligthsail instance. However, running the command
aws lightsail put-instance-public-ports --port-infos fromPort=22,protocol=TCP,toPort=22,cidrs=1.1.1.1 --instance-name Ubuntu-1
returns
Parameter validation failed:
Unknown parameter in portInfos[0]: "cidrs", must be one of: fromPort, toPort, protocol
In the description it seems that this functionality should be there? https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lightsail/put-instance-public-ports.html
Any idea where I mess up the command? Thanks!
Edit:
Updating aws cli version fixed the issue
Based on the comments, the issue was not the command used. The command was correct. The problem was with the outdated AWS CLI used.
The solution was to updated the AWS CLI.

AWS CLI: Could not connect to the endpoint URL

Was able to set up a pull from an S3 bucket on a Mac seamlessly, but have been struggling with an identical process on a PC (Windows). Here is what I have done -- any help along the way would be much appreciated.
Installed awscli using pip
Ran aws configure in the command prompt and inputed the proper access key id and secret access key.
Ran the s3 code: G:\>aws s3 cp --recursive s3://url-index-given/ . (where the url was replaced with url-index-given for example purposes).
And got this error:
fatal error: Could not connect to the endpoint URL: "https://url-index-given.s3.None.amazonaws.com/?list-type=2&prefix=&encoding-type=url"
I have tried uninstalling the awscli package and followed this process recommended by Amazon without any errors.
The error indicates have you have given an invalid value for Region when using aws configure. (See the None in the URL? That is where the Region normally goes.)
You should run aws configure again and give it a valid region (eg us-west-2).

Invalid IPv6 URL while running commands using AWS CLI

configured AWS Cli on Linux system.
While running any command like "aws ec2 describe-instances" it is showing error "Invalid IPv6 URL"
Ran into the same error.
Running this command fixed the error for me:
export AWS_DEFAULT_REGION=us-east-1
You might also try specifying the region when running any command:
aws s3 ls --region us-east-1
Hope this helps!
or run aws configure and enter valid region for default region name
I ran into this issue due to region being wrongly typed. When you run aws configure during initial setup, if you try to delete a mistaken entry, it will end up having invalid characters in the region name.
Hopefully, running aws configure again will resolve your issue.

aws cli: invalid security token

I'm trying to create a reusable delegation set to use as whitelisted nameservers for my domains, using aws cli on Mac OS X. My AWS credentials (those of an IAM profile I created for that purpose with full administrator privileges, an location set to us-east-1) were correctly entered during setup and accepted by the system.
When entering the command
$ aws route53 create-reusable-delegation-set --caller-reference [CALLER-REFERENCE] --hosted-zone-id [HOSTED_ZONE] --generate-cli-skeleton
the request is successful and I get the response:
{
"CallerReference": "",
"HostedZoneId": ""
}
But when I remove --generate-cli-skeleton and enter
aws route53 create-reusable-delegation-set --caller-reference [CALLER-REFERENCE] --hosted-zone-id [HOSTED_ZONE]
I get this:
An error occurred (InvalidClientTokenId) when calling the CreateReusableDelegationSet operation: The security token included in the request is invalid.
I reality, my IAM credentials, despite being valid, and despite the profile I am using (donaldjenkins) having full administrator privileges, are refused systematically in all aws services and for all commands, not just Route53.
I've been unable to pinpoint the cause of this despite extensive research. Any suggestions gratefully receieved.
Deleting my credentials file (Linux, macOS, or Unix: ~/.aws Windows: %UserProfile%\.aws) then running aws configure again worked for me
The solution is to delete existing credentials for the IAM user and issue new ones. For some reason the credentials recorded during the initial setup of aws cli never worked properly, but overwriting them with new ones removed the issue instantly.
I had the same exact issue.
I'm running NodeJS on my local environment, and trying to deploy to Amazon using code deploy and some other aws tools.
What worked for me was to delete the current config and credentials folder, regnerate a new key and use. THis was after i originally installed aws cli and added the keys, had to add the keys again.
Depending on your folder structure, navigate to your home directory.
On mac if you open a new terminal, it should show your current home directory: "/Users/YOURNAME"
cd .aws
rm -rf config
rm -rf credentials
After you do this, go back to your home directory, then run:
"aws configure".
Enter your Key and secret key.
You can find more details here: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration under Quickly Configuring the AWS CLI