Login/Register
botocore.exceptions.SSLError: SSL validation failed on WIndows
Asked Answered
pythonamazon-web-servicessslboto3
S

4

14

The below code is for getting the regions.

import boto3
ec2 = boto3.client('ec2', 'region-name')
print(ec2.describe_regions())

On executing this code on my machine, I'm getting this error.

botocore.exceptions.SSLError: SSL validation failed for https://ec2.region-name.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

I am running this code on Windows 10 machine with VS code as my editor. I looked for other answers where they required to install Install Certificates.command file. However, looks like it is found on macOS only.

Can someone tell me the reason for this issue as well?

Also, last week got a notification from AWS that they are updating all their AWS FIPS endpoints to TLS 1.2 and hence need to connect to TLS version 1.2 FIPS endpoints. I checked my TLS version here. It says I have TLS version 1.2. Is there anything related to this? Because prior to this notification, my script was running perfectly.

Please someone tell the reason for this error and possible correction. Also, correct me if I mentioned something wrong with my understanding.

Sowens answered 24/8, 2020 at 8:40 Comment(0)
V
17

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate is because Python ssl library can't find certificates on your local machine to verify against.

One way to debug is to see if you have your ca_bundle set to something else:

python -c "from botocore.session import Session; print(Session().get_config_variable('ca_bundle'))"

If it doesn't print anything, then it uses default path. You can check default path by:

python -c "import ssl; print(ssl.get_default_verify_paths())"

If ca_bundle prints something, then it's set by AWS_CA_BUNDLE environment variable or by aws configure set default.ca_bundle <some path> in the past. Also check ~/.aws/config if you accidentally setting it there (config file location for Windows: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

Install Certificates.command is basically a Python script that you can run yourself https://gist.github.com/marschhuynh/31c9375fc34a3e20c2d3b9eb8131d8f3 . Save as install-cert.py and run it python install-cert.py

Vendible answered 22/5, 2021 at 0:30 Comment(0)
A
2
import boto3    

from urllib3.exceptions import InsecureRequestWarning    
from urllib3 import disable_warnings    
disable_warnings(InsecureRequestWarning)

session = boto3.Session(profile_name='dev')    
client = session.client('ec2', verify=False)
Amaranthaceous answered 4/4, 2023 at 9:45 Comment(2)
Remember that Stack Overflow isn't just intended to solve the immediate problem, but also to help future readers find solutions to similar problems, which requires understanding the underlying code. This is especially important for members of our community who are beginners, and not familiar with the syntax. Given that, can you edit your answer to include an explanation of what you're doing and why you believe it is the best approach?Ringhals
As much as I don't endorse code-only answers, this is a valid WORKAROUND and should be used only as a very last resort. As much as possible, do verify your TLS connections people! This snippet disables all the safeties of TLS and host verifications, so you could leave yourself open to MITM attacks. Do not use in production.Nonrecognition
H
1

Maybe an edge case, but I was having this issue sending requests to a docker container, and the fix for me was hitting the docker container at http://localhost:8000 instead of https://localhost:8000 since the container couldn't receive SSL requests. Hopefully that helps anyone in this particular situation!

Hay answered 3/8, 2022 at 5:18 Comment(0)
H
0

You can try disabling SSL verification:

aws_client = boto3.client(service_name="bedrock", region_name="us-west-2",verify=False)

If you're in a development environment and it's safe to do so, you can disable SSL verification. However, this is not recommended for production environments due to security risks.

Hangdog answered 1/8, 2024 at 9:57 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.