AWS CLI: SSL Validation Failed – [SOLVED]

Once you run some command in the AWS CLI, for example aws s3 ls, you may get the error as follows:

SSL validation failed for <endpoint_url> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

To work around the issue you can add the --no-verify-ssl option to the AWS CLI:

$ aws s3 ls --no-verify-ssl

But this is not secure and will cause the following warning:

InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Cool Tip: How to get an SSL certificate from a server (site’s URL)! Read more →

AWS CLI: SSL Validation Failed

To use the AWS CLI with HTTPS certificate verification, it is required to specify the path to a custom certificate bundle.

This can be done by setting the AWS_CA_BUNDLE environment variable.

Linux:
$ export AWS_CA_BUNDLE="/data/ca-certs/ca-bundle.pem"

Windows:
PS C:\> setx AWS_CA_BUNDLE C:\data\ca-certs\ca-bundle.pem

Or by using the --ca-bundle command-line parameter:

$ aws s3 ls --ca-bundle "/data/ca-certs/ca-bundle.pem"

Or by setting the ca_bundle in the AWC CLI configuration file:

$ nano ~/aws/.config
$ cat ~/aws/.config
[default]
ca_bundle = /data/ca-certs/ca-bundle.pem
Was it useful? Share this post with the world!

7 Replies to “AWS CLI: SSL Validation Failed – [SOLVED]”

  1. Art Bergquist says: Reply

    The following text:
    “To workaround the issue you can add the –no-verify-ssl option to the AWS CLI:”
    needs to be replaced with the following text:
    “To work around the issue, you can add the –no-verify-ssl option to the AWS CLI:”

    1. Done. Thanks.

  2. what is this .pem file? is it something I can generate? my ubuntu has no /data/ directory. Do I need to configure SSL on my desktop?

  3. where can I get this? “/data/ca-certs/ca-bundle.pem”

  4. the AWS ca_bundle.pem is included in the AWS CLI. Do you have that installed? If not, you can install it or upgrade it if it is old. See this thread: https://stackoverflow.com/questions/32946050/ssl-certificate-verify-failed-in-aws-cli

  5. My case dealt with a 640 permission setting on the pem file.

Leave a Reply