AWS CLI: SSL Validation Failed – [SOLVED]

Once you run some command in the AWS CLI, for example aws s3 ls, you may get the error as follows:

SSL validation failed for <endpoint_url> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

To workaround the issue you can add the --no-verify-ssl option to the AWS CLI:

$ aws s3 ls --no-verify-ssl

But this is not secure and will cause the following warning:

InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Cool Tip: How to get SSL certificate from a server (site’s URL)! Read more →

AWS CLI: SSL Validation Failed

To use the AWS CLI with HTTPS certificate verification, it is required to specify the path to a custom certificate bundle.

This can be done by setting the AWS_CA_BUNDLE environment variable.

Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"

Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem

Or by using the --ca-bundle command-line parameter:

$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"

Or by setting the ca_bundle in the AWC CLI configuration file:

$ nano ~/aws/.config
$ cat ~/aws/.config
[default]
ca_bundle = /data/ca-certs/ca-bundle.pem