AWS CLI Error with Eucalyptus HTTPS Service Endpoints (UFS)


Eucalyptus Version:  4.2.0 and Higher

Certificate Failed to Verify Error With AWS CLI 


When a user is using AWS CLI against Eucalyptus 4.2.0 where the service endpoints have been configured for HTTPS [1], the following error could display:

# aws --endpoint-url ec2 describe-key-pairs --profile devops-admin [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


The reason for this error is that the CA bundle for the trusted root certificate is not being loaded by AWS CLI. 


The issue can be resolved using either one of the following methods:

  1. Passing the trusted CA root certificate using the --ca-bundle commandline argument
  2. In the .aws/config file, set the variable ca_bundle with the absolute path of the trusted CA root certificate
  3. Set the environment variable AWS_CA_BUNDLE with the absolute path to the trusted CA root certificate.

Once either of these options have been used, AWS CLI will work as expected against Eucalyptus HTTPS service endpoints.  For example:

# aws --ca-bundle euca-ca-0.crt --endpoint-url ec2 describe-key-pairs --profile devops-admin
"KeyPairs": [
"KeyName": "devops-admin",
"KeyFingerprint": "ee:4f:93:a8:87:8d:80:8d:2c:d6:d5:60:20:a3:2d:b2"



Have more questions? Submit a request


Powered by Zendesk