8

The below code is for getting the regions.

import boto3
ec2 = boto3.client('ec2', 'region-name')
print(ec2.describe_regions())

On executing this code on my machine, I'm getting this error.

botocore.exceptions.SSLError: SSL validation failed for https://ec2.region-name.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

I am running this code on Windows 10 machine with VS code as my editor. I looked for other answers where they required to install Install Certificates.command file. However, looks like it is found on macOS only.

Can someone tell me the reason for this issue as well?

Also, last week got a notification from AWS that they are updating all their AWS FIPS endpoints to TLS 1.2 and hence need to connect to TLS version 1.2 FIPS endpoints. I checked my TLS version here. It says I have TLS version 1.2. Is there anything related to this? Because prior to this notification, my script was running perfectly.

Please someone tell the reason for this error and possible correction. Also, correct me if I mentioned something wrong with my understanding.

shreyaskar
  • 196
  • 1
  • 2
  • 9

2 Answers2

6

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate is because Python ssl library can't find certificates on your local machine to verify against.

One way to debug is to see if you have your ca_bundle set to something else:

python -c "from botocore.session import Session; print(Session().get_config_variable('ca_bundle'))"

If it doesn't print anything, then it uses default path. You can check default path by:

python -c "import ssl; print(ssl.get_default_verify_paths())"

If ca_bundle prints something, then it's set by AWS_CA_BUNDLE environment variable or by aws configure set default.ca_bundle <some path> in the past. Also check ~/.aws/config if you accidentally setting it there (config file location for Windows: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

Install Certificates.command is basically a Python script that you can run yourself https://gist.github.com/marschhuynh/31c9375fc34a3e20c2d3b9eb8131d8f3 . Save as install-cert.py and run it python install-cert.py

cakraww
  • 2,033
  • 25
  • 27
4

This question has already been answered on Stack Overflow before.

Try out the following solutions:

Note: There is another solution related to disabling the SSL verification but that is not recommended.

Abdullah Khawer
  • 3,566
  • 4
  • 21
  • 52
  • @shreyaskar, The links I have shared with you have the reasons as well. It could have due to missing AWS credentials not configured using AWS CLI configure command, due to outdated Python Modules like certifi, requests, urllib3 or pyopenssl, due to outdated version of AWS CLI, due to missing environment variables in Windows related to HTTP/HTTPS proxy, due to CA certificate issues related to content or location or due to Fiddler running. – Abdullah Khawer Aug 25 '20 at 15:29
  • I checked all the links. Still no resolution. I don't have any Fiddler running & no certificates were installed earlier when my script was working. So this error must be from something else. Also, please have a look at the error code: **_ssl.c:1108**. The links you mentioned were I guess for some other error. – shreyaskar Sep 04 '20 at 05:37
  • @shreyaskar, Try out this answer: https://stackoverflow.com/a/61221942/11758843 – Abdullah Khawer Sep 04 '20 at 06:10
  • Suggesting the question is already solved elsewhere should really be a comment not an answer... – Zach Rieck May 25 '22 at 16:26