Ansible Logo

boto3 / Ansible: SSL validation failed [Errno 2] No such file or directory

Posted by

This is a really peculiar error. It seems to be caused in the past few months by some sort of regression in boto3. I encountered it on Debian.

If you run Ansible or your own Python application under strace, you will see this:

[pid   173] openat(AT_FDCWD, "/etc/ssl/certs/cacert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)

It appears to be looking for the root CA bundle at /etc/ssl/certs/cacert.pem. This doesn’t exist, on Debian. Instead, the root CA bundle can be found at /etc/ssl/certs/ca-certificates.crt (as long as you have the ca-certificates package installed).

The workaround seems to be to explicitly set AWS_CA_BUNDLE, like so:

export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

In my case, Ansible (which uses boto3) was running inside a Docker container, so adding this to the Dockerfile worked:

ENV AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Leave a Reply

Your email address will not be published.