botocore.exceptions.SSLError: SSL validation failed on WIndows

Question

The below code is for getting the regions.

import boto3
ec2 = boto3.client('ec2', 'region-name')
print(ec2.describe_regions())

On executing this code on my machine, I'm getting this error.

botocore.exceptions.SSLError: SSL validation failed for https://ec2.region-name.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

I am running this code on Windows 10 machine with VS code as my editor. I looked for other answers where they required to install Install Certificates.command file. However, looks like it is found on macOS only.

Can someone tell me the reason for this issue as well?

Also, last week got a notification from AWS that they are updating all their AWS FIPS endpoints to TLS 1.2 and hence need to connect to TLS version 1.2 FIPS endpoints. I checked my TLS version here. It says I have TLS version 1.2. Is there anything related to this? Because prior to this notification, my script was running perfectly.

Please someone tell the reason for this error and possible correction. Also, correct me if I mentioned something wrong with my understanding.

Answer 1

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate is because Python ssl library can't find certificates on your local machine to verify against.

One way to debug is to see if you have your ca_bundle set to something else:

python -c "from botocore.session import Session; print(Session().get_config_variable('ca_bundle'))"

If it doesn't print anything, then it uses default path. You can check default path by:

python -c "import ssl; print(ssl.get_default_verify_paths())"

If ca_bundle prints something, then it's set by AWS_CA_BUNDLE environment variable or by aws configure set default.ca_bundle <some path> in the past. Also check ~/.aws/config if you accidentally setting it there (config file location for Windows: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

Install Certificates.command is basically a Python script that you can run yourself https://gist.github.com/marschhuynh/31c9375fc34a3e20c2d3b9eb8131d8f3 . Save as install-cert.py and run it python install-cert.py

Answer 2

This question has already been answered on Stack Overflow before.

Try out the following solutions:

• Reset AWS Credentials using AWS Configure
• Issue Due to Fiddler
• Reset HTTP/HTTPS Proxy Related Environment Variables
• Reinstall and Upgrade AWS CLI
• Using AWS_CA_BUNDLE Environment Variable
• Moving CA Certificate PEM File in the Right Folder
• Verifying CA Certificate
• Install certifi Python Module
• Install pyopenssl Python Module
• Adding Trusted Root CA Details
• Adding Trusted Host
• Fixing the Version of requests and urllib3 Python Modules
• Fixing CA Certificate Content and Location

Note: There is another solution related to disabling the SSL verification but that is not recommended.