ERROR: Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
How do I fix this problem on FreeBSD Unix system?
Amazon Simple Storage Service (s3) is object storage through a web service interface or API. You can store all sorts of files. FreeBSD is free and open-source operating systems. s3cmd is a command-line utility for the Unix-like system to upload, download files to AWS S3 service from the command line.
ERROR: Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed error and solution
This error indicates that you don’t have packages correctly installed, especially SSL certificates. Let us see how to fix this problem and install s3cmd correctly on FreeBSD to get rid of the problem.
How to install s3cmd on FreeBSD
Search for s3cmd package:
$ pkg search s3cmd
Execute the following command and make sure you install Python 3.x package as Python 2 will be removed after 2020:
$ sudo pkg install py37-s3cmd-2.1.0
Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 8 package(s) will be affected (of 0 checked): New packages to be INSTALLED: libffi: 3.2.1_3 py37-dateutil: 2.8.1 py37-magic: 5.38 py37-s3cmd: 2.1.0 py37-setuptools: 44.0.0 py37-six: 1.14.0 python37: 3.7.8 readline: 8.0.4 Number of packages to be installed: 8 The process will require 118 MiB more space. Proceed with this action? [y/N]: y [rsnapshot] [1/8] Installing readline-8.0.4... [rsnapshot] [1/8] Extracting readline-8.0.4: 100% [rsnapshot] [2/8] Installing libffi-3.2.1_3... .... .. [rsnapshot] [8/8] Extracting py37-s3cmd-2.1.0: 100% ===== Message from python37-3.7.8: -- Note that some standard Python modules are provided as separate ports as they require additional dependencies. They are available as: py37-gdbm databases/py-gdbm@py37 py37-sqlite3 databases/py-sqlite3@py37 py37-tkinter x11-toolkits/py-tkinter@py37
FreeBSD install ca_root_nss package
Type the following pkg command to install root certificate to get rid of “Test failed: [SSL: CERTIFICATE_VERIFY_FAILED]” error:
$ sudo pkg update
$ sudo pkg install ca_root_nss
Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: ca_root_nss: 3.54 Number of packages to be installed: 1 285 KiB to be downloaded. Proceed with this action? [y/N]: y [rsnapshot] [1/1] Fetching ca_root_nss-3.54.txz: 100% 285 KiB 291.5kB/s 00:01 Checking integrity... done (0 conflicting) [rsnapshot] [1/1] Installing ca_root_nss-3.54... [rsnapshot] [1/1] Extracting ca_root_nss-3.54: 100% ===== Message from ca_root_nss-3.54: -- FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Assessment and verification of trust is the complete responsibility of the system administrator. This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem
Run the following command:
$ s3cmd --configure
Make sure you enter correct values:
Enter new values or accept defaults in brackets with Enter. Refer to user manual for detailed description of all options. Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables. Access Key : YOUR_AWS_KEY_HERE Secret Key : YOUR_AWS_Secret_KEY_HERE Default Region [US]: Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3. S3 Endpoint [s3.amazonaws.com]: Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be used if the target S3 system supports dns based buckets. DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]: Encryption password is used to protect your files from reading by unauthorized persons while in transfer to S3 Encryption password: Path to GPG program: When using secure HTTPS protocol all communication with Amazon S3 servers is protected from 3rd party eavesdropping. This method is slower than plain HTTP, and can only be proxied with Python 2.7 or newer Use HTTPS protocol [Yes]: On some networks all internet access must go through a HTTP proxy. Try setting it here if you can't connect to S3 directly HTTP Proxy server name: New settings: Access Key: YOUR_AWS_KEY_HERE Secret Key: YOUR_AWS_Secret_KEY_HERE Default Region: US S3 Endpoint: s3.amazonaws.com DNS-style bucket+hostname:port template for accessing a bucket: %(bucket)s.s3.amazonaws.com Encryption password: Path to GPG program: None Use HTTPS protocol: True HTTP Proxy server name: HTTP Proxy server port: 0 Test access with supplied credentials? [Y/n] Y Please wait, attempting to list all buckets... Success. Your access key and secret key worked fine :-) Now verifying that encryption works... Not configured. Never mind.
Run the following command:
$ s3cmd ls
$ s3cmd sync /path/to/local/dir s3://bucket-name/file
$ s3cmd ls
The “Test failed: [SSL: CERTIFICATE_VERIFY_FAILED]” error indicates that CA root and s3cmd was not installed correctly on the FreeBSD jail or server. Hence, we must install the correct packages. You also need ca_root_nss package to avoid errors with the wget command on FreeBSD when using Let’s Encrypt and other TLS/SSL certificates.