ERR_UNABLE_TO_GET_ISSUER_CERT error (and workaround detailed below)

[devops-corgi]

Describe the bug

Hey everyone! Recently installed AWS CLI on a new laptop. Then, after installing a pip package which cascade upgraded some other pip packages, immediately ran into this error when running any AWS CLI command:

ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT

Any AWS command (including even aws --version) raises the error. Full stacktrace below.

Expected Behavior

aws ... commands work as expected.

Current Behavior

Raises this stacktrace

Traceback (most recent call last):
  File "/usr/local/bin/aws", line 19, in <module>
    import awscli.clidriver
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/clidriver.py", line 21, in <module>
    import botocore.session
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/session.py", line 27, in <module>
    import botocore.client
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/client.py", line 16, in <module>
    from botocore import UNSIGNED, waiter, xform_name
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/waiter.py", line 17, in <module>
    from botocore.docs.docstring import WaiterDocstring
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/docs/__init__.py", line 15, in <module>
    from botocore.docs.service import ServiceDocumenter
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/docs/service.py", line 14, in <module>
    from botocore.docs.client import ClientDocumenter, ClientExceptionsDocumenter
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/docs/client.py", line 16, in <module>
    from botocore.docs.example import ResponseExampleDocumenter
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/docs/example.py", line 13, in <module>
    from botocore.docs.shape import ShapeDocumenter
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/docs/shape.py", line 19, in <module>
    from botocore.utils import is_json_value_header
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/utils.py", line 33, in <module>
    import botocore.httpsession
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/awscli/botocore/httpsession.py", line 41, in <module>
    from urllib3.contrib.pyopenssl import orig_util_SSLContext as SSLContext
  File "/usr/local/Cellar/awscli/2.11.22/libexec/lib/python3.11/site-packages/urllib3/contrib/pyopenssl.py", line 50, in <module>
    import OpenSSL.crypto
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/SSL.py", line 255, in <module>
    class X509VerificationCodes:
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/SSL.py", line 267, in X509VerificationCodes
    ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'lib' has no attribute 'X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT'

Reproduction Steps

Install AWS CLI v2 via homebrew (though other installation methods will probably replicate it)

Install or upgrade any pip package that uses pyOpenSSL or upgrade pyOpenSSL to >= 23.2.

Possible Solution

Likely caused by a breaking change in version 23.2 of pyOpenSSL:

https://pypi.org/project/pyOpenSSL/

23.2.0 (2023-05-30)
Backward-incompatible changes:
Removed X509StoreFlags.NOTIFY_POLICY. [#1213](https://github.com/pyca/pyopenssl/pull/1213).

Deprecations:
Changes:
cryptography maximum version has been increased to 41.0.x.

Invalid versions are now rejected in OpenSSL.crypto.X509Req.set_version.

Added X509VerificationCodes to OpenSSL.SSL. [#1202](https://github.com/pyca/pyopenssl/pull/1202).

Downgrading to pyOpenSSL 23.1.0 fixes it:

python3 -m pip install pyOpenSSL==23.1.0

Additional Information/Context

No response

CLI version used

aws-cli/2.11.24 Python/3.11.3 Darwin/22.5.0 source/x86_64 prompt/off

Environment details (OS name and version, etc.)

OS X Ventura 13.4 (latest patch)

[tim-finnigan]

Hi @devops-corgi thanks for reaching out. Brew installation isn't officially supported per the AWS CLI documentation, we recommend using one of the installation methods documented there. You shouldn't need pyOpenSSL for the AWS CLI so uninstalling it is another option. We have received similar issues before (for example #7325) but those involve the cryptography library which the AWS CLI and pyOpenSSL use.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[alexreg]

Still an issue for me... I suspect pyOpenSSL is an indirect dependency?

[tim-finnigan]

@alexreg does uninstalling pyOpenSSL resolve the issue?

[alexreg]

@tim-finnigan Sorry, didn't see your suggestion above to do that... yes, that works for me. Not an ideal solution, of course, but I suppose this bug should be reported to pyOpenSSL in any case, as it isn't anything in particular to do with the AWS CLI.

[GalvinGao]

Just encountered this as well and was able to fix the problem after fixing a minor typo from the solution above. The correct command shall be:

python3 -m pip install pyOpenSSL==23.1.0

as the one should specify version constraint via ==.

[devops-corgi]

Thanks @GalvinGao ! Updated my solution in the first post in case anyone else finds this useful.

[drAlberT]

This workaround prevents installing aws-sam-cli:

The conflict is caused by:
    The user requested pyOpenSSL==23.1.0
    aws-sam-cli 1.89.0 depends on pyopenssl~=23.2.0

[ermirry]

I'm also experiencing this issue. Both downgrading pyOpenSSL to 23.1.0 and straight up uninstalling it did not work for me. Any aws or even kubectl command being ran against my EKS cluster gives me:

ERR_UNABLE_TO_GET_ISSUER_CERT = _lib.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT

[ermirry]

Was able to fix this by uninstalling my homebrew version of awscli and reinstalling via the documented method here

[jabr]

I'm having the same problem. I have no interest in migrating off of the homebrew method of installation for this package, though. Do you have plans to eventually support pyOpenSSL 23.2+?

[jabr]

Alternative solution for homebrew, installing old version of pyopenssl just for aws-cli:

cd $(brew --prefix awscli)/libexec/lib/python3.11/site-packages/
pip3 install -t . pyopenssl==23.1.0 --upgrade

[Hatlen]

Alternative solution for homebrew, installing old version of pyopenssl just for aws-cli:

cd /opt/homebrew/Cellar/awscli/2.13.25/libexec/lib/python3.11/site-packages/
pip3 install -t . pyopenssl==23.1.0 --upgrade

This worked great for me, thank you very much!
My Cellar path was slightly different though so I used brew info awscli to figure out the path (it was /usr/local/Cellar/awscli/2.13.26/libexec/lib/python3.11/site-packages)

[edbergavera]

This has fixed the issue for me.

python3 -m pip install pyOpenSSL==23.1.0

[drAlberT]

Anyway, this issue is not solved.

Keeping the old lib version prevents packages such as aws-sam-cli to be installed, while fixing the lib version inside the cellar package will be lost on every aws-cli update (which is very often) ...

[b-tin]

Alternative solution for homebrew, installing old version of pyopenssl just for aws-cli:

cd /opt/homebrew/Cellar/awscli/2.13.25/libexec/lib/python3.11/site-packages/
pip3 install -t . pyopenssl==23.1.0 --upgrade

cool, thanks @jabr, this works for me

[sankalp-khare]

For me uninstalling pyOpenSSL from the homebrew python3 install worked:

❯ /opt/homebrew/bin/pip3 uninstall pyOpenSSL
Found existing installation: pyOpenSSL 23.3.0
Uninstalling pyOpenSSL-23.3.0:
  Would remove:
    /opt/homebrew/lib/python3.11/site-packages/OpenSSL/*
    /opt/homebrew/lib/python3.11/site-packages/pyOpenSSL-23.3.0.dist-info/*
Proceed (Y/n)? y
  Successfully uninstalled pyOpenSSL-23.3.0

[edbergavera]

For me uninstalling pyOpenSSL from the homebrew python3 install worked:

❯ /opt/homebrew/bin/pip3 uninstall pyOpenSSL
Found existing installation: pyOpenSSL 23.3.0
Uninstalling pyOpenSSL-23.3.0:
  Would remove:
    /opt/homebrew/lib/python3.11/site-packages/OpenSSL/*
    /opt/homebrew/lib/python3.11/site-packages/pyOpenSSL-23.3.0.dist-info/*
Proceed (Y/n)? y
  Successfully uninstalled pyOpenSSL-23.3.0

This might be a permanent fix?

[jabr]

For me uninstalling pyOpenSSL from the homebrew python3 install worked:
...

This might be a permanent fix?

That's only an option if you have nothing else dependent on pyOpenSSL being installed as a site-package. pip3 show pyOpenSSL | grep Required-by will list any other site-packages using it. You might also have other Python code on your system that uses it directly.

[jabr]

This worked great for me, thank you very much! My Cellar path was slightly different though ...

Good catch! I updated my "solution" using brew's prefix option to handle the path difference between versions:

cd $(brew --prefix awscli)/libexec/lib/python3.11/site-packages/
pip3 install -t . pyopenssl==23.1.0 --upgrade