AWS CLI - [SSL : CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)

Asked 27/3, 2020 at 6:22 Answered 9/7 at 17:56

Solved amazon-web-services ssl-certificate amazon-elastic-beanstalk aws-cli

Am trying to use AWS-CLI to retrieve aws elasticbeanstalk details, but am getting the following error.

Error message:

C:\abdul>aws elasticbeanstalk describe-environments --environment-name myenvname

SSL validation failed for https://elasticbeanstalk.us-east-1.amazonaws.com/ [SSL
: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate
in certificate chain (_ssl.c:1056)

Note:

I can work without any issues when I try to retrieve my EC2 details,

C:\abdul>aws ec2 describe-instances --instance-ids 'i-xxxxxxxxxxxxxx'

Above command works without any issues, I get the above error only when I try "elasticbeanstalk" commands.

Note: I have all the necessary certificates required in place.

Thanks in advance.

Regality answered 27/3, 2020 at 6:22 Comment(0)

I found my way to this post while Googling. In my case, the error message I received was: SSL validation failed for https://ec2.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)

I found this blog which told me to add an Environment Variable called AWS_CA_BUNDLE whose value was a path pointing to the CA Cert file (which I had saved on my local machine after requesting it from our corporate network team). Once I added that environment variable, I was able to run my AWS CLI commands successfully!

Tew answered 22/1, 2021 at 23:24 Comment(0)

Steps to get this working in macOS/Linux

Download the Corporate Self-Signed Certificates using OpenSSL

   openssl s_client -showcerts -verify 5 -servername ec2.us-west-2.amazonaws.com -connect ec2.us-west-2.amazonaws.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

Create a bundle.pem by concatenating all the files fetched from the first command.

cat ec2_us-west-2_amazonaws_com.pem company_intermediate.pem company_root.pem >bundle.pem

Make it available in AWS_CA_BUNDLE environment variable.

export AWS_CA_BUNDLE=/Users/velayutham/work/corp-cert/bundle.pem

aws ec2 describe-instances --region us-west-2 ==> This should work fine now.

Tarmac answered 10/12, 2022 at 5:17 Comment(0)

I had the same issue. This is how I resolved it.
Run below command first

$export REQUESTS_CA_BUNDLE=/path/to/company/certificate.crt

And then run AWS cli command

aws elasticbeanstalk describe-environments --environment-name myenvname

Ailing answered 18/1, 2021 at 16:0 Comment(0)

Check the permissons on the /usr/local/aws-cli/v2/current/dist/awscli/botocore/cacert.pem file. Mine was 640. In fact, I had to adjust the permission on the whole install.

Digiacomo answered 4/4, 2023 at 19:56 Comment(0)

Solution:

export AWS_CA_BUNDLE=/usr/local/etc/ca-certificates/cert.pem

export REQUESTS_CA_BUNDLE=/usr/local/etc/ca-certificates/cert.pem

Siegbahn answered 9/7 at 17:56 Comment(0)

Recommended topics

Hot tags