Closed dduleep closed 8 years ago
rayluo
commented
8 years ago I haven't used AWS CLI on Windows Server 2007 32 bit yet. As a quick note here, AWS CLI uses the SSL library in the "hosting" system to do the job, so ideally you will like to keep your SSL up to date.
By the way, can you try adding --no-verify-ssl at your CLI to see whether it makes a difference?
dduleep
commented
8 years ago when i was run with --no-verify-ssl that gave to me as bellow error will i need to up to date all my current SSL certifications? or any special certification for AWS?
>aws s3 ls --no-verify-ssl --debug
2015-10-07 08:46:36,486 - MainThread - awscli.clidriver - DEBUG - CLI version: a
ws-cli/1.8.8 Python/2.7.9 Windows/2008Server, botocore version: 1.2.6
2015-10-07 08:46:36,486 - MainThread - awscli.clidriver - DEBUG - Arguments ente
red to CLI: ['s3', 'ls', '--no-verify-ssl', '--debug']
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event session-in
itialized: calling handler <function add_scalar_parsers at 0x030D57F0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event session-in
itialized: calling handler <function inject_assume_role_provider at 0x03098BB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event building-c
ommand-table.s3: calling handler <function add_waiters at 0x0309E1F0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.s3.anonymous: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event building-c
ommand-table.ls: calling handler <function add_waiters at 0x0309E1F0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.ls.paths: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.ls.summarize: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event process-cl
i-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthand object at 0x0
1A07270>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.ls.anonymous: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.ls.human-readable: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event process-cl
i-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthand object at 0x0
1A07270>
2015-10-07 08:46:36,486 - MainThread - botocore.hooks - DEBUG - Event load-cli-a
rg.custom.ls.page-size: calling handler <function uri_param at 0x02DACBB0>
2015-10-07 08:46:36,486 - MainThread - botocore.credentials - DEBUG - Looking fo
r credentials via: env
2015-10-07 08:46:36,486 - MainThread - botocore.credentials - DEBUG - Looking fo
r credentials via: assume-role
2015-10-07 08:46:36,486 - MainThread - botocore.credentials - DEBUG - Looking fo
r credentials via: shared-credentials-file
2015-10-07 08:46:36,486 - MainThread - botocore.credentials - INFO - Found crede
ntials in shared credentials file: ~/.aws/credentials
2015-10-07 08:46:36,516 - MainThread - botocore.client - DEBUG - Registering ret
ry handlers for service: s3
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event creating-c
lient-class.s3: calling handler <function add_generate_presigned_post at 0x02C11
970>
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event creating-c
lient-class.s3: calling handler <function add_generate_presigned_url at 0x02C052
70>
2015-10-07 08:46:36,516 - MainThread - botocore.endpoint - DEBUG - Setting s3 ti
meout as (60, 60)
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event before-par
ameter-build.s3.ListBuckets: calling handler <function validate_bucket_name at 0
x02C22B70>
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event before-cal
l.s3.ListBuckets: calling handler <function add_expect_header at 0x02C22D30>
2015-10-07 08:46:36,516 - MainThread - botocore.endpoint - DEBUG - Making reques
t for <botocore.model.OperationModel object at 0x03810530> (verify_ssl=False) wi
th params: {'body': '', 'url': u'https://s3-us-west-2.amazonaws.com/', 'headers'
: {'User-Agent': 'aws-cli/1.8.8 Python/2.7.9 Windows/2008Server'}, 'query_string
': '', 'url_path': u'/', 'method': u'GET'}
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event request-cr
eated.s3.ListBuckets: calling handler <bound method S3._sign_request of <botocor
e.client.S3 object at 0x03817270>>
2015-10-07 08:46:36,516 - MainThread - botocore.hooks - DEBUG - Event before-sig
n.s3.ListBuckets: calling handler <function fix_s3_host at 0x026C71F0>
2015-10-07 08:46:36,516 - MainThread - botocore.utils - DEBUG - Checking for DNS
compatible bucket for: https://s3-us-west-2.amazonaws.com/
2015-10-07 08:46:36,516 - MainThread - botocore.utils - DEBUG - Not changing URI
, bucket is not DNS compatible:
2015-10-07 08:46:36,516 - MainThread - botocore.auth - DEBUG - Calculating signa
ture using hmacv1 auth.
2015-10-07 08:46:36,516 - MainThread - botocore.auth - DEBUG - HTTP request meth
od: GET
2015-10-07 08:46:36,516 - MainThread - botocore.auth - DEBUG - StringToSign:
GET
Wed, 07 Oct 2015 05:46:36 GMT
/
2015-10-07 08:46:36,532 - MainThread - botocore.endpoint - DEBUG - Sending http
request: <PreparedRequest [GET]>
2015-10-07 08:46:36,532 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - INFO - Starting new HTTPS connection (1): s3-us-west-2.amazo
naws.com
C:\Program Files\Amazon\AWSCLI\.\botocore\vendored\requests\packages\urllib3\con
nectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being ma
de. Adding certificate verification is strongly advised. See: https://urllib3.re
adthedocs.org/en/latest/security.html
2015-10-07 08:46:38,641 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - DEBUG - "GET / HTTP/1.1" 302 660
2015-10-07 08:46:38,641 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - INFO - Starting new HTTP connection (1): qrlonpx1
2015-10-07 08:46:39,000 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - DEBUG - "GET /?cfru=aHR0cHM6Ly9zMy11cy13ZXN0LTIuYW1hem9uYXdz
LmNvbS8= HTTP/1.1" 401 849
2015-10-07 08:46:39,000 - MainThread - botocore.parsers - DEBUG - Response heade
rs: {'content-length': '849', 'proxy-connection': 'close', 'set-cookie': 'BCSI-C
S-74173be79368d156=2; Path=/', 'connection': 'close', 'pragma': 'no-cache', 'cac
he-control': 'no-cache', 'content-type': 'text/html; charset=utf-8', 'www-authen
ticate': 'NEGOTIATE, NTLM, BASIC realm="IWA_direct"'}
2015-10-07 08:46:39,000 - MainThread - botocore.parsers - DEBUG - Response body:
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Access Denied (authentication_failed)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "Credentials are missing.". You wil
l not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could als
o be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
2015-10-07 08:46:39,016 - MainThread - awscli.clidriver - DEBUG - Exception caug
ht in main()
Traceback (most recent call last):
File "awscli\clidriver.pyc", line 183, in main
File "awscli\customizations\commands.pyc", line 190, in __call__
File "awscli\customizations\commands.pyc", line 187, in __call__
File "awscli\customizations\s3\subcommands.pyc", line 330, in _run_main
File "awscli\customizations\s3\subcommands.pyc", line 389, in _list_all_bucket
s
File "botocore\client.pyc", line 269, in _api_call
File "botocore\client.pyc", line 323, in _make_api_call
File "botocore\endpoint.pyc", line 111, in make_request
File "botocore\endpoint.pyc", line 138, in _send_request
File "botocore\endpoint.pyc", line 191, in _get_response
File "botocore\parsers.pyc", line 206, in parse
File "botocore\parsers.pyc", line 677, in _do_error_parse
File "botocore\parsers.pyc", line 696, in _parse_error_from_body
File "botocore\parsers.pyc", line 346, in _parse_xml_string_to_dom
ResponseParserError: Unable to parse response (mismatched tag: line 7, column 2)
, invalid XML received:
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Access Denied (authentication_failed)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "Credentials are missing.". You wil
l not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could als
o be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
2015-10-07 08:46:39,032 - MainThread - awscli.clidriver - DEBUG - Exiting with r
c 255
Unable to parse response (mismatched tag: line 7, column 2), invalid XML receive
d:
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Access Denied (authentication_failed)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "Credentials are missing.". You wil
l not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could als
o be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
HannahRKent
commented
8 years ago I don't know whether this is appropriate, but I have been having the same exact problem as of yesterday, after I updated AWSCLI to fix another bug, (This one https://github.com/aws/aws-cli/issues/800). The output is very much the same, including the output from typing --no-verify-ssl. I would be very happy to have a solution to this. The version information is aws-cli/1.8.12 Python/2.7.6 Linux/3.19.0-30-generic
rayluo
commented
8 years ago To summary, do you mean you try the following 2 different environments:
and still observe same [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) behavior when running aws s3 ls, and same Unable to parse response (mismatched tag: line 7, column 2), invalid XML received: Access Denied behavior when running aws s3 ls --no-verify-ssl? We can probably try to follow your setup to reproduce this symptom.
The SSL: CERTIFICATE_VERIFY_FAILED error itself is tricky. I thought --no-verify-ssl would be a quick workaround, but your "Access Denied" error is surprising.
HannahRKent
commented
8 years ago I did not try the 1.8.8/Windows environment. I posted because I recently had this same problem while using aws-cli/1.8.12 Python/2.7.6 Linux/3.19.0-30-generic. The errors I got were astoundingly similar, including the access denied error, which occurred when I added "--no-verify-ssl."
This has NOT been happening on other servers that I use. I tested this on my coworkers' computers and on our ec2 servers (all of which have older versions) . The only thing I changed was that I ran an update to solve a different bug, and then I came in the next day and I could not access the bucket. My information is all correct, so I am completely baffled by the issue.
The version on our EC2 servers is:
aws-cli/1.6.5 Python/2.7.6 Linux/3.13.0-37-generic
So as you can see, it is much older than either my version or the version of the person who initially posted.
On Thu, Oct 8, 2015 at 11:31 PM, Ray Luo notifications@github.com wrote:
To summary, do you mean you try the following 2 different environments:
- aws-cli/1.8.8 Python/2.7.9 Windows/2008Server
- aws-cli/1.8.12 Python/2.7.6 Linux/3.19.0-30-generic
and still observe same [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) behavior when running aws s3 ls, and same Unable to parse response (mismatched tag: line 7, column 2), invalid XML received: Access Denied behavior when running aws s3 ls --no-verify-ssl? We can probably try to follow your setup to reproduce this symptom.
The SSL: CERTIFICATE_VERIFY_FAILED error itself is tricky http://stackoverflow.com/questions/27835619/ssl-certificate-verify-failed-error. I thought --no-verify-ssl would be a quick workaround, but your "Access Denied" error is surprising.
— Reply to this email directly or view it on GitHub https://github.com/aws/aws-cli/issues/1545#issuecomment-146746405.
Hannah Scaer
HannahRKent
commented
8 years ago As a point of reference, I am not an original poster, just another person with the same issue.
JordonPhillips
commented
8 years ago I'm having difficulty reproducing, and nothing in the logs is immediately obvious. I've tried the following:
aws-cli/1.8.12 Python/2.7.9 Windows/2008Serveraws-cli/1.8.12 Python/2.7.6 Linux/3.13.0-48-generic (Ubuntu 14.04)aws-cli/1.8.12 Python/2.7.10 Linux/4.1.7-15.23.amzn1.x86_64 (Amazon Linux 2015.09)aws-cli/1.8.12 Python/2.7.10 Darwin/14.5.0 (OSX 10.10.5)Are there any special configurations you have on your servers / buckets? @Hrosek how do you configure your aws credentials? I doubt it has anything to do with it, but there's always a chance.
kramimus
commented
8 years ago Not sure this helps, but I just hit this issue on ubuntu 15.04, never had a problem before now on my system.
I installed the same version of awscli (1.8.12) in a new virtualenv and the SSL cert error went away and all works as expected again.
EDIT: sorry, I just realized the old venv was using python 2.7.8 and the new one is 2.7.9, so that is probably it in my case.
jamesls
commented
8 years ago @Hrosek something looks off in your debug log. First I see:
2015-10-07 08:46:36,532 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - INFO - Starting new HTTPS connection (1): s3-us-west-2.amazo
naws.comWhich is what's suppose to happen. But then right after I see:
2015-10-07 08:46:38,641 - MainThread - botocore.vendored.requests.packages.urlli
b3.connectionpool - INFO - Starting new HTTP connection (1): qrlonpx1It looks like you are trying to connect to some other endpoint besides S3. Are you sure that there's not a proxy configured somewhere that's redirecting you to that endpoint?
kramimus
commented
8 years ago The problem has resumed for me today, no changes from my system really since it started working yesterday. I am using ubuntu 15.04, python 2.7.9. The error is similar to what I saw yesterday before I setup the new venv:
$ aws --debug s3 ls s3://1000genomes/
2015-10-14 14:27:14,210 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.8.12 Python/2.7.9 Linux/3.19.0-30-generic, botocore version: 1.2.10
2015-10-14 14:27:14,210 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--debug', 's3', 'ls', 's3://1000genomes/']
2015-10-14 14:27:14,210 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7f15387ce230>
2015-10-14 14:27:14,210 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider at 0x7f1538a04848>
2015-10-14 14:27:14,211 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x7f1538a0f668>
2015-10-14 14:27:14,212 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.s3.anonymous: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,212 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ls: calling handler <function add_waiters at 0x7f1538a0f668>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthand object at 0x7f15387db510>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,213 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthand object at 0x7f15387db510>
2015-10-14 14:27:14,214 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <function uri_param at 0x7f1538b9ab90>
2015-10-14 14:27:14,214 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2015-10-14 14:27:14,214 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2015-10-14 14:27:14,214 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2015-10-14 14:27:14,215 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2015-10-14 14:27:14,248 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: s3
2015-10-14 14:27:14,251 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x7f1538f59c08>
2015-10-14 14:27:14,251 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x7f1538f43b90>
2015-10-14 14:27:14,255 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2015-10-14 14:27:14,256 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListObjects: calling handler <function validate_bucket_name at 0x7f1538f72140>
2015-10-14 14:27:14,257 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListObjects: calling handler <function add_expect_header at 0x7f1538f72488>
2015-10-14 14:27:14,257 - MainThread - botocore.endpoint - DEBUG - Making request for <botocore.model.OperationModel object at 0x7f1538202550> (verify_ssl=True) with params: {'body': '', 'url': u'https://s3.amazonaws.com/1000genomes?prefix=&delimiter=%2F', 'headers': {'User-Agent': 'aws-cli/1.8.12 Python/2.7.9 Linux/3.19.0-30-generic'}, 'query_string': {u'prefix': u'', u'delimiter': '/'}, 'url_path': u'/1000genomes', 'method': u'GET'}
2015-10-14 14:27:14,257 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.ListObjects: calling handler <bound method S3._sign_request of <botocore.client.S3 object at 0x7f1538210250>>
2015-10-14 14:27:14,257 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.ListObjects: calling handler <function fix_s3_host at 0x7f1538ffc668>
2015-10-14 14:27:14,257 - MainThread - botocore.utils - DEBUG - Checking for DNS compatible bucket for: https://s3.amazonaws.com/1000genomes?prefix=&delimiter=%2F
2015-10-14 14:27:14,257 - MainThread - botocore.utils - DEBUG - URI updated to: https://1000genomes.s3.amazonaws.com?prefix=&delimiter=%2F
2015-10-14 14:27:14,258 - MainThread - botocore.auth - DEBUG - Calculating signature using hmacv1 auth.
2015-10-14 14:27:14,258 - MainThread - botocore.auth - DEBUG - HTTP request method: GET
2015-10-14 14:27:14,258 - MainThread - botocore.auth - DEBUG - StringToSign:
GET
Wed, 14 Oct 2015 21:27:14 GMT
/1000genomes/
2015-10-14 14:27:14,260 - MainThread - botocore.endpoint - DEBUG - Sending http request: <PreparedRequest [GET]>
2015-10-14 14:27:14,261 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1): 1000genomes.s3.amazonaws.com
2015-10-14 14:27:14,442 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListObjects: calling handler <botocore.retryhandler.RetryHandler object at 0x7f1538482f90>
2015-10-14 14:27:14,443 - MainThread - botocore.retryhandler - DEBUG - retry needed, retryable exception caught: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Traceback (most recent call last):
File "/home/mark/.virtualenvs/web/local/lib/python2.7/site-packages/botocore/retryhandler.py", line 265, in _should_retry
return self._checker(attempt_number, response, caught_exception)
File "/home/mark/.virtualenvs/web/local/lib/python2.7/site-packages/botocore/retryhandler.py", line 313, in __call__
caught_exception)
File "/home/mark/.virtualenvs/web/local/lib/python2.7/site-packages/botocore/retryhandler.py", line 222, in __call__
return self._check_caught_exception(attempt_number, caught_exception)
File "/home/mark/.virtualenvs/web/local/lib/python2.7/site-packages/botocore/retryhandler.py", line 355, in _check_caught_exception
raise caught_exception
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
2015-10-14 14:27:14,443 - MainThread - botocore.retryhandler - DEBUG - Retry needed, action of: 0.696248197359
2015-10-14 14:27:14,443 - MainThread - botocore.endpoint - DEBUG - Response received to retry, sleeping for 0.696248197359 seconds...
jamesls
commented
8 years ago @kramimus It may have to do with how you have your SSL cert bundle configured. I'd check:
1) Do you have the AWS_CA_BUNDLE env var set?
2) Do you have certifi installed in your python env? (pip list | grep certifi)
kramimus
commented
8 years ago $ echo $AWS_CA_BUNDLE
$ export | grep AWS_CA_BUNDLE
$ pip list | grep certifi
certifi (2015.9.6.2)@kramimus Ahh that's probably it then. See https://github.com/aws/aws-cli/issues/1499 for more info, and the suggestion on downgrading certifi here: https://github.com/aws/aws-cli/issues/1499#issuecomment-141552339
kramimus
commented
8 years ago Ah, I see, I must have a dependency that pulls certifi in then. Thanks, I just removed certifi for now and it all works.
jamesls
commented
8 years ago Excellent, glad you were able to get it working.
nikhilGitrepo
commented
5 years ago @kramimus If AWS_CA_BUNDLE is not set then,
openssl s_client -connect ec2.us-east-2.amazonaws.com:443 -showcertsanyname.cerAWS_CA_BUNDLE=<path_to_CER_file>/anyname.cer to environment vars or add with export line in .bash_profile like --> export AWS_CA_BUNDLE=<path_to_CER_file>/anyname.cersource .bash_profile if you are adding in .bash_profileaws ec2 describe-subnet or aws s3 ls
shubhamsawantsjsu
commented
5 years ago I have got the solution for this.
Don't install boto3 using pip/pip3.
Use following steps::
$ git clone https://github.com/boto/boto3.git $ cd boto3 $ virtualenv venv ... $ . venv/bin/activate $ pip install -r requirements.txt $ pip install -e .
It worked for me. Initially I was facing the same SSL Validation Exception problem. Then I uninstalled the boto3 (pip3 uninstall boto3) and re-installed it using virtualenv as stated above. Now, it is working fine.
kemalty
commented
4 years ago I was able to fix this issue by just upgrading the certifi library to: certifi==2020.4.5.1
ruairinewman
commented
4 years ago [ruairinewman@MBP ~ ][13:08] $ aws s3 ls
SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)
[ruairinewman@RuairíNewman-2018MacBookPro ~ ][13:08] $ sudo -EH pip3 install certifi --upgrade
Password:
Requirement already up-to-date: certifi in /usr/local/lib/python3.7/site-packages (2020.4.5.1)
[ruairinewman@MBP ~ ][13:08] $certifi==2020.4.5.1 hasn't worked for me
ghost
commented
4 years ago Hmm, Interesting, I also have struck this error 3 days ago. (Still persisting). Win10, I am thinking becuase ruairinewman and I have no other relationship than this forum, that, it might be some Windows upgrade my people have put onto my corporate machine. NOTE: use AWS CLI. aws-cli/2.0.3 Python/3.7.5 Windows/10 botocore/2.0.0dev7
I was unable to fix this issue by just upgrading the certifi library to: certifi==2020.4.5.1
I will give BOTO3 in Python a go. "No, that didn't work for me".
Going to try BOTO3 from Github Clone as per above. Sorry all, this didn't work for me.
ViralAgency
commented
4 years ago Hi, i am a MAC user (Mojave). I have the same error.
When i launch:
repo init <repository url>I get this error:
Downloading Repo source from https://gerrit.googlesource.com/git-repo
fatal: Cannot get https://gerrit.googlesource.com/git-repo/clone.bundle
fatal: error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
fatal: cloning the git-repo repository failed, will remove '.repo/repo'The problem seems due to Python 3.6 on MacOS that comes with its own private copy of OpenSSL. That means the trust certificates in the system are no longer used as defaults by the Python ssl module. To fix that, you need to install a certifi package in your system.
Solved with:
open /Applications/Python\ 3.6/Install\ Certificates.command
avi95022
commented
3 years ago I am still facing the Same Mentioned above error. when is am tryiny to push something to S3 even ls command is not working. Can any one brief be the step to get it work. if i use --no-verify-ssl it works fine .
aws-cli/2.0.35 Python/3.7.7 Windows/10 botocore/2.0.0dev39
SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)
dusansusic
commented
3 years ago This just happened to me, too.
I used Python Buster image as a base image. I installed system ca-certificates package and ran ca-certificates. This solved an issue.
avi95022
commented
3 years ago I am still facing the Same Mentioned above error. when is am tryiny to push something to S3 even ls command is not working. Can any one brief be the step to get it work. if i use --no-verify-ssl it works fine .
aws-cli/2.0.35 Python/3.7.7 Windows/10 botocore/2.0.0dev39
SSL validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)
@shubhamsawantsjsu can you comment on this
alfonzjanfrithz
commented
3 years ago What was in my case is that i was behind company firewall, so what i needed to do is to get aws cli recognize the cert.
# I have to install the requests package to know where is the requests certs located
# pip3 --cert <your_path_to_your_cert> install requests
python3 -c "import requests; print(requests.certs.where())"
# you will get the path of the pem, and append the cert for the firewall to that file listed from the previous command
melt7777
commented
3 years ago worked on macos catalina:
openssl s_client -connect ec2.us-east-2.amazonaws.com:443 -showcerts
# save the cert portion to a file aws.cer
cat aws.cer >> /usr/local/lib/python3.9/site-packages/certifi/cacert.pem
I install AWS CLI on the Windows server 2007 32bit.
aws --version aws-cli/1.8.8 Python/2.7.9 Windows/2008Server I configure aws cli using keys
Once i run bellow command for test the AWS S3, that gave SSL error as bellow
aws s3 ls [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
-----------------------------------debug log-------------------------------------------------