Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate verify failed: unable to get local issuer certificate #9190

Closed
1 task
gitissuepost opened this issue Jan 7, 2025 · 6 comments
Closed
1 task

certificate verify failed: unable to get local issuer certificate #9190

gitissuepost opened this issue Jan 7, 2025 · 6 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a bug. configuration p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@gitissuepost
Copy link

gitissuepost commented Jan 7, 2025
edited by RyanFitzSimmonsAK
Loading

Describe the bug

While executing aws ec2 describe-instances, it results to
SSL validation failed for https://ec2.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

aws sso login is successful and aws s3 ls works fine. However, aws ec2 and aws sts results to similar error. i haven't tried other commands yet as these basic commands are failing.

If I bypass ssl verification, it works fine but without no-verify-ssl flag, it fails.

Note: I had added the certificates to same bundle that was used for sso

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

command should return ec2 details even with out no-verify-ssl flag

Current Behavior

SSL validation failed for https://ec2.eu-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

Reproduction Steps

set up env vars for HTTP_PROXY, HTTPS_PROXY, AWS_CA_BUNDLE
aws configure sso or aws sso login - Success
aws s3 ls - Success
aws ec2 describe-instances - Fails
aws sts get-caller-identity - Fails

Possible Solution

No response

Additional Information/Context

https://gist.github.com/gitissuepost/56ea901617a6168b6619d12f676a049e

CLI version used

2.22.25

Environment details (OS name and version, etc.)

Windows 10 22H2 Build#19045
@gitissuepost gitissuepost added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 7, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Jan 9, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK added configuration investigating This issue is being investigated and/or work is in progress to resolve the issue. p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jan 9, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

Hey @gitissuepost, thanks for reaching out. Could you try running those commands while directly specifying --region and --ca-bundle?

@RyanFitzSimmonsAK RyanFitzSimmonsAK added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 9, 2025
@gitissuepost
Copy link
Author

gitissuepost commented Jan 10, 2025
edited
Loading

Hi @RyanFitzSimmonsAK - Upon launching https://ec2.eu-west-1.amazonaws.com/, it navigates to https://aws.amazon.com/EC2. I was generating certificate chain from the final URL and use it for CA-BUNDLE. Is this approach correct?

Moreover, shoudl it be a certificate chain or single certificate? And how can I use a single ca bundle for all URLs as the certificate for my SSO start URL is dfferent. Trying to understand whether I can merge all certificates into one and use that as AWS_CA_BUNDLE to ensure my SSL will pass through this.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 10, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

This appears to be the result of your bundle being configured incorrectly. You should have all of your certifications in the bundle, including the default ones. You can either take your certificates and add them to the file we provide, or make a new bundle and include the default certificates.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 13, 2025
@gitissuepost
Copy link
Author

Hi @RyanFitzSimmonsAK - Thank you for the details. With the default certificate, that ships along with AWSCLI, I think it is working. However, I would like to do few check and confirm here. I will close the ticket if the checks results success.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 15, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 16, 2025
@gitissuepost
Copy link
Author

@RyanFitzSimmonsAK - I am good to close this as the issue resolved.

@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a bug. configuration p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gitissuepost @RyanFitzSimmonsAK