AWS cli ssl certificate_verify_failed

AWS cli ssl certificate_verify_failed

summary:

This kind of error occurs when your Python environment or AWS CLI cannot validate the SSL certificate of a server against its local trust store which is commonly seen in corporate networks with SSL inspection or outdated certificate bundles.

What This Error Means

When our Python code or the AWS CLI makes a secure HTTPS request. The ground level library (urllib3 or botocore) attempts to verify that the server’s certificate is signed by a trusted Authority. If Python cannot find the Root Certificate of that authority in its local files, it aborts the connection to protect you from a potential man-in-the-middle attack.

Where the error usually appears:

  • While we run aws s3 ls or other AWS commands.
  • While running scripts that use boto3 or requests.
  • if we are behind proxies like Zscaler that intercept SSL traffic.
  • After a fresh Python installation.

What Causes This Python Error?

1. Enterprise SSL Inspection

There are several companies that employ proxies with decrypt and re-encrypt capabilities for your traffic. The proxies employ a “Self-Signed” Root CA which is untrusted by your Python environment.

2. missing macOS Certificates

Installing Python on macOS comes with no certificates by default. Unless you execute the exact “Install Certificates” command, every HTTPS request will fail.

3. Obsolete Certifi Package

urllib3 and requests depend on another plugin named certifi for their list of trusted roots. If this plugin is outdated, it will be ignorant of recent certificate authorities, such as Let’s Encrypt.

How I Fixed This Error (Step-by-Step)

I just went through this process when implementing an AWS Lambda deployment from a new laptop. This is what I did to troubleshoot and repair the issue.

✅ Step 1: Identify the Root Cause

Execute the AWS CLI with the “–debug” flag to identify at what point during the handshake it fails:

aws s3 ls --debug

If you encounter urllib3.exceptions.SSLError: unable to get local issuer certificate, it means that you are missing the Root CA in your Python SSL store.

✅ Step 2: Apply the Fix

General Python/urllib3: The best solution here would be to use pip-system-certs, so you’re able to use the system certificates provided by your OS.

pip install pip-system-certs

When working specifically with the AWS CLI: If you’re using an office proxy connection, you have to direct AWS to your office’s .pem certificate package.

# Incorrect (Bypassing security - NOT RECOMMENDED)
# aws s3 ls --no-verify-ssl
# Correct Fix: Point to your cert bundle
export AWS_CA_BUNDLE=/path/to/your/company-root-ca.pem
aws s3 ls

✅ Step 3: Verify the Fix

Rerun your command. If it comes through without the traceback, then your certificate chain is properly trusted.

Common Mistakes That Trigger This Error

  • Using --no-verify-ssl: Although this “resolves” the issue, it results in your transmitting AWS credentials over a connection that may not be verified.
  • Upgrading global Python but skipping venv: Keep in mind that every virtual environment has its own certifi bundle.
  • System Clock desync: Your computer system clock may be incorrect, and this can show SSL certificates as expired, resulting in an error during the verify process.

How to Prevent This Error in Production

Docker Containers:

Always update the CA store in your Dockerfile:

Dockerfile

RUN 
apt-get update && apt-get install -y ca-certificates && update-ca-certificates

Environment Variables:

To ensure consistency, you can add environment variables REQUESTS_CA_BUNDLE and AWS_CA_BUNDLE when running your CI/CD pipelines.

Regular Updates:

Utilize tools such as dependabot to keep certifi and urllib3 up-to-date.

Related Python Errors You May Face Next

  • botocore.exceptions.EndpointConnectionError: Usually caused if the proxy is blocking the endpoint completely.
  • urllib3.exceptions.MaxRetryError: Triggered when the SSL handshake fails repeatedly.
  • ProxyError: Specific to misconfigured HTTP_PROXY or HTTPS_PROXY variables.

Frequently Asked Questions (FAQ)

❓ Is this a Python bug?
No, it’s rather a safety feature to protect you from connecting to the wrong server.

❓ Why does it only happen in the terminal and not my browser?
This is due to the fact that browsers like Chrome rely on the System Keychain, but the Python module relies on its own file, which provides the certifi library.

❓ Can I just disable SSL check?
Yes, but this is strongly not recommended on any production environment, using verify=False or –no-verify-ssl.

Author’s Note

As I spent three hours debugging this problem in Windows only to realize that my company VPN had installed my company certificates in the Windows Store silently, and Python was ignoring them. Installing “pip system certificates,” however, solved my problem in an instant by requiring Python to install them. In your company laptop, this is called “silver bullets.”

You can read our other blog on ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed and pip install ssl certificate_verify_failed

Related Posts

Subscribe
Subscribe