Fixing AWS CLI AAL Validation Errors with Self-Signed or Internal CA Certificates
When working with AWS CLI and custom S3-compatible endpoints (like ONTAP or MinIO), you might encounter SSL validation issues—especially if you're using self-signed certificates or internal Certificate Authorities (CAs).
Let’s walk through a common scenario and how to fix it.
❗ The Problem
You run a command like this:
And you see this warning:
C:\Program Files\Amazon\AWSCLI\runtime\Lib\site-packages\urllib3\connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.domain.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
warnings.warn(
Or worse, you get an SSL validation failure:
SSL validation failed for https://s3.domain.com [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
✅ The Solution
1. Install certifi to Update Public CA Certificates
Open a terminal and run:
You should see output like:
Successfully installed certifi-2025.10.5
This updates the CA bundle used by Python to include the latest public root certificates.
2. Still Seeing Errors? Install pip-system-certs
If your organization uses internal CAs (e.g., corporate root certificates), you’ll need to make Python trust the Windows certificate store:
This package bridges Python’s SSL verification with Windows’ trusted root certificates.
Output should confirm:
Successfully installed pip-system-certs-5.2
🔒 Why This Matters
Using --no-verify-ssl disables certificate validation, which is insecure and should only be used for testing. The above steps help you:
- Avoid insecure warnings
- Ensure proper SSL validation
- Maintain secure communication with your S3-compatible storage
🧠Pro Tip
If you're managing multiple environments or endpoints, consider creating separate AWS CLI profiles and configuring certificate paths explicitly using the AWS_CA_BUNDLE environment variable.
Post a Comment