aws config sso failed with SSL validation failed #9809
Description
Describe the bug
Try to run aws configure sso, encounter following error:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1032)
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
Successful login
Current Behavior
2025-10-22 17:55:08,992 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=RegisterClient) with params: {'url_path': '/client/register', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.31.19 md/awscrt#0.27.6 ua/2.1 os/windows#11 md/arch#amd64 lang/python#3.13.7 md/pyimpl#CPython m/Z,E,b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#configure.sso md/sso#auth'}, 'body': b'{"clientName": "botocore-client-INT-Test", "clientType": "public", "grantTypes": ["authorization_code", "refresh_token"], "redirectUris": ["http://127.0.0.1/oauth/callback"], "issuerUrl": "https://htotd.awsapps.com/start/#", "scopes": ["sso:account:access"]}', 'url': 'https://oidc.eu-west-2.amazonaws.com/client/register', 'context': {'client_region': 'eu-west-2', 'client_config': <botocore.config.Config object at 0x000002A0302179D0>, 'has_streaming_input': False, 'auth_type': 'none', 'unsigned_payload': None, 'auth_options': ['aws.auth#sigv4']}}
2025-10-22 17:55:08,992 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.RegisterClient: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000002A0302497F0>>
2025-10-22 17:55:08,992 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sso-oidc.RegisterClient: calling handler <function set_operation_specific_signer at 0x000002A02EDED940>
2025-10-22 17:55:08,992 - MainThread - botocore.hooks - DEBUG - Event request-created.sso-oidc.RegisterClient: calling handler <bound method UserAgentString.rebuild_and_replace_user_agent_handler of <botocore.useragent.UserAgentString object at 0x000002A030216850>>
2025-10-22 17:55:08,993 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://oidc.eu-west-2.amazonaws.com/client/register, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.31.19 md/awscrt#0.27.6 ua/2.1 os/windows#11 md/arch#amd64 lang/python#3.13.7 md/pyimpl#CPython m/Z,E,b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#configure.sso md/sso#auth', 'Content-Length': '258'}>
2025-10-22 17:55:08,994 - MainThread - botocore.httpsession - DEBUG - Certificate path: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
2025-10-22 17:55:08,994 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): oidc.eu-west-2.amazonaws.com:443
2025-10-22 17:55:09,809 - MainThread - botocore.endpoint - DEBUG - Exception received when sending HTTP request.
Traceback (most recent call last):
File "urllib3\connectionpool.py", line 716, in urlopen
File "urllib3\connectionpool.py", line 404, in _make_request
File "urllib3\connectionpool.py", line 1061, in _validate_conn
File "urllib3\connection.py", line 419, in connect
File "urllib3\util\ssl_.py", line 458, in ssl_wrap_socket
File "urllib3\util\ssl_.py", line 502, in _ssl_wrap_socket_impl
File "ssl.py", line 455, in wrap_socket
File "ssl.py", line 1076, in _create
File "ssl.py", line 1372, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1032)
Reproduction Steps
install aws-cli/2.31.19 Python/3.13.7 Windows/11 exe/AMD64
run command
aws configure sso
Possible Solution
No response
Additional Information/Context
our company does not use the pem file, and also error still occur when add --no-verify-ssl
CLI version used
2.31.19
Environment details (OS name and version, etc.)
Windows 11