SSL CERTIFICATE_VERIFY_FAILED in AWS CLI

When working with the AWS Command Line Interface (CLI), users might encounter an error: SSL: CERTIFICATE_VERIFY_FAILED. This can be bewildering, especially when trying to execute simple commands like listing available S3 buckets or retrieving instances from EC2. Understanding this error, its causes, and solutions is crucial for effective operations with AWS CLI.

Understanding the SSL: CERTIFICATE_VERIFY_FAILED Error

The error SSL: CERTIFICATE_VERIFY_FAILED suggests a problem during the SSL/TLS handshake. This is a crucial stage where the client (AWS CLI) verifies the server's certificate against its trusted Certificate Authorities (CAs). If this verification fails, the CLI refuses to establish a secure connection, resulting in this error.

Possible Causes:

1. Outdated CA Certificates: The CA certificates used by the AWS CLI might be outdated or missing. As SSL certificates have expiration dates and might be refreshed by websites, the local CA bundle must be up-to-date.
2. Network Interception: Sometimes, network firewalls or proxies intercept SSL traffic to inspect it, replacing the remote server’s certificate with one of their own. If the added intermediary certificate isn't part of your local CA store, it will lead to verification failure.
3. Incorrect System Time: SSL relies heavily on accurate timestamps while validating certificates. If the system time is incorrect, it might prevent proper certificate verification, leading to the error.
4. Misconfigured Environment: The AWS CLI might be referencing incorrect or invalid paths for CA certificates due to configuration errors or environment variables settings.

Solutions and Workarounds

Updating CA Certificates

For most systems, updating the trusted CA certificate bundle can be done through package managers.

On Linux:

sudo update-ca-certificates

On macOS:

brew install ca-certificates

Ensure your system's package repository is updated to fetch the latest certificates.

Adjusting AWS CLI Configuration

You might need to explicitly define the path to the CA bundle if it's not detected automatically:

1. Configuring via CLI Options:

   aws configure set ca_bundle /path/to/ca-certificate.crt

1. Environment Variable:

   export AWS_CA_BUNDLE=/path/to/ca-certificate.crt

This approach is particularly useful if you are using custom or internal CA certificates.

Handling Network Interception

Verify with your network administrator if any SSL interception is occurring. If so, request the internal CA certificate used for interception and add it to your local trust store.

Correcting System Time

On Linux or Unix-based systems, the ntp service can be utilized to synchronize time:

sudo ntpdate -u pool.ntp.org

Verify Firewall and Proxy Settings

Ensure that your network's firewall or proxy settings allow for an unobstructed SSL/TLS connection. If using a proxy, configure the AWS CLI to work with it correctly:

export HTTPS_PROXY=http://proxy.example.com:port

Using Insecure Option (Not Recommended)

In some environments, especially testing, it can be tempting to bypass SSL certificate checks:

aws s3 ls --no-verify-ssl

Warning: This approach is not recommended for production environments as it exposes the connection to man-in-the-middle attacks.

Summary Table

By understanding the various causes of SSL: CERTIFICATE_VERIFY_FAILED, AWS CLI users can troubleshoot and resolve the issue effectively, ensuring secure and stable interactions with their cloud resources.