ERROR: Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)

last updated in Categories , , , , ,

When I install s3cmd package on my FreeBSD system and try to use the s3cmd command I get the following error:
    ERROR: Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
How do I fix this problem on FreeBSD Unix system?

Amazon Simple Storage Service (s3) is object storage through a web service interface or API. You can store all sorts of files. FreeBSD is free and open-source operating systems. s3cmd is a command-line utility for the Unix-like system to upload, download files to AWS S3 service from the command line.

ADVERTISEMENTS


ERROR: Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed error and solution

This error indicates that you don’t have packages correctly installed, especially SSL certificates. Let us see how to fix this problem and install s3cmd correctly on FreeBSD to get rid of the problem.

How to install s3cmd on FreeBSD

Search for s3cmd package:
$ pkg search s3cmd
Execute the following command and make sure you install Python 3.x package as Python 2 will be removed after 2020:
$ sudo pkg install py37-s3cmd-2.1.0

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 8 package(s) will be affected (of 0 checked):
 
New packages to be INSTALLED:
	libffi: 3.2.1_3
	py37-dateutil: 2.8.1
	py37-magic: 5.38
	py37-s3cmd: 2.1.0
	py37-setuptools: 44.0.0
	py37-six: 1.14.0
	python37: 3.7.8
	readline: 8.0.4
 
Number of packages to be installed: 8
 
The process will require 118 MiB more space.
 
Proceed with this action? [y/N]: y
[rsnapshot] [1/8] Installing readline-8.0.4...
[rsnapshot] [1/8] Extracting readline-8.0.4: 100%
[rsnapshot] [2/8] Installing libffi-3.2.1_3...
....
..
[rsnapshot] [8/8] Extracting py37-s3cmd-2.1.0: 100%
=====
Message from python37-3.7.8:
 
--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:
 
py37-gdbm       databases/py-gdbm@py37
py37-sqlite3    databases/py-sqlite3@py37
py37-tkinter    x11-toolkits/py-tkinter@py37

FreeBSD install ca_root_nss package

Type the following pkg command to install root certificate to get rid of “Test failed: [SSL: CERTIFICATE_VERIFY_FAILED]” error:
$ sudo pkg update
$ sudo pkg install ca_root_nss

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
 
New packages to be INSTALLED:
	ca_root_nss: 3.54
 
Number of packages to be installed: 1
 
285 KiB to be downloaded.
 
Proceed with this action? [y/N]: y
[rsnapshot] [1/1] Fetching ca_root_nss-3.54.txz: 100%  285 KiB 291.5kB/s    00:01    
Checking integrity... done (0 conflicting)
[rsnapshot] [1/1] Installing ca_root_nss-3.54...
[rsnapshot] [1/1] Extracting ca_root_nss-3.54: 100%
=====
Message from ca_root_nss-3.54:
 
--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
 
Assessment and verification of trust is the complete responsibility of the
system administrator.
 
 
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
 
This enables SSL Certificate Verification by client software without manual
intervention.
 
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
 
  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem

Configure s3cmd

Run the following command:
$ s3cmd --configure
Make sure you enter correct values:

Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.
 
Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key : YOUR_AWS_KEY_HERE
Secret Key : YOUR_AWS_Secret_KEY_HERE
Default Region [US]: 
 
Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3.
S3 Endpoint [s3.amazonaws.com]: 
 
Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be used
if the target S3 system supports dns based buckets.
DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]: 
 
Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password: 
Path to GPG program: 
 
When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP, and can only be proxied with Python 2.7 or newer
Use HTTPS protocol [Yes]: 
 
On some networks all internet access must go through a HTTP proxy.
Try setting it here if you can't connect to S3 directly
HTTP Proxy server name: 
 
New settings:
  Access Key: YOUR_AWS_KEY_HERE
  Secret Key: YOUR_AWS_Secret_KEY_HERE
  Default Region: US
  S3 Endpoint: s3.amazonaws.com
  DNS-style bucket+hostname:port template for accessing a bucket: %(bucket)s.s3.amazonaws.com
  Encryption password: 
  Path to GPG program: None
  Use HTTPS protocol: True
  HTTP Proxy server name: 
  HTTP Proxy server port: 0
 
Test access with supplied credentials? [Y/n] Y
Please wait, attempting to list all buckets...
Success. Your access key and secret key worked fine :-)
 
Now verifying that encryption works...
Not configured. Never mind.

Test it

Run the following command:
$ s3cmd ls
$ s3cmd sync /path/to/local/dir s3://bucket-name/file
$ s3cmd ls

FreeBSD s3cmd Test failed: [SSL: CERTIFICATE_VERIFY_FAILED] error and solution test
Testing s3cmd on my FreeBSD box/jail with HTTPS support enabled

Conclusion

The “Test failed: [SSL: CERTIFICATE_VERIFY_FAILED]” error indicates that CA root and s3cmd was not installed correctly on the FreeBSD jail or server. Hence, we must install the correct packages. You also need ca_root_nss package to avoid errors with the wget command on FreeBSD when using Let’s Encrypt and other TLS/SSL certificates.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


ADVERTISEMENTS

1 comment

Leave a Comment