This is a really peculiar error. It seems to be caused in the past few months by some sort of regression in boto3. I encountered it on Debian.
If you run Ansible or your own Python application under strace, you will see this:
[pid 173] openat(AT_FDCWD, "/etc/ssl/certs/cacert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
It appears to be looking for the root CA bundle at /etc/ssl/certs/cacert.pem. This doesn’t exist, on Debian. Instead, the root CA bundle can be found at /etc/ssl/certs/ca-certificates.crt (as long as you have the ca-certificates package installed).
The workaround seems to be to explicitly set AWS_CA_BUNDLE, like so:
In my case, Ansible (which uses boto3) was running inside a Docker container, so adding this to the Dockerfile worked: