Eucalyptus Version: 4.2.0 and Higher
Certificate Failed to Verify Error With AWS CLI
When a user is using AWS CLI against Eucalyptus 4.2.0 where the service endpoints have been configured for HTTPS , the following error could display:
# aws --endpoint-url https://ec2.c-06.autoqa.qa1.eucalyptus-systems.com/ ec2 describe-key-pairs --profile devops-admin [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The reason for this error is that the CA bundle for the trusted root certificate is not being loaded by AWS CLI.
The issue can be resolved using either one of the following methods:
- Passing the trusted CA root certificate using the
- In the .aws/config file, set the variable
ca_bundlewith the absolute path of the trusted CA root certificate
- Set the environment variable
AWS_CA_BUNDLEwith the absolute path to the trusted CA root certificate.
Once either of these options have been used, AWS CLI will work as expected against Eucalyptus HTTPS service endpoints. For example:
# aws --ca-bundle euca-ca-0.crt --endpoint-url https://ec2.c-06.autoqa.qa1.eucalyptus-systems.com/ ec2 describe-key-pairs --profile devops-admin