CERTIFICATE_VERIFY_FAILED error on Windows

Hi,

We’ve received reports of some users experiencing issues uploading and downloading media from Amazon with the Python API in the last few days on Windows. This issue manifests itself by the Python API raising the following error message:

shotgun_api3.shotgun.ShotgunFileDownloadError: Failed to open https://xxx.shotgunstudio.com/file_serve/attachment/xyz
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)>

It appears Amazon has updated some certificates on their backend. Windows usually refreshes its certificate store when browsing a webpage that requires a new certificate. A standalone Python script running on a computer that doesn’t see regular browsing activity will not retrieve certificate updates, which may cause that computer to be missing quite a few.

For the users experiencing this issue on Windows right now, you can update your computer by doing the following. If you have GUI access to the machine that has the issue, simply playing back any media that is currently stored on S3 should update your certificate store. This playback solution only works on Chrome, Internet Explorer, Edge or other Chromium based browsers. This playback solution does not work on Firefox or Safari, as these browser do not use Windows’ standard APIs for certificate validation.

For users whom this solution does not work, or if you have a big list of computers to update, like a Deadline render farm, we’re also providing a script that will add the missing certificate to your computer. Note that this script is similar to a script we’ve shared before for the last Amazon certificate update that caught some users off guard, but it’s not entirely the same.

For users of Powershell on Windows 10 or Powershell 3 on Windows 7 (I don’t have access to a Windows 8 machine, it may work, or not, in which case you’ll want to keep reading until the end), you can run the following script as an administrator on the computer to get the new certificate.

image

$cert_url = "https://www.amazontrust.com/repository/AmazonRootCA1.cer"
$cert_file = New-TemporaryFile
Invoke-WebRequest -Uri $cert_url -UseBasicParsing -OutFile $cert_file.FullName
Import-Certificate -FilePath $cert_file.FullName -CertStoreLocation Cert:\LocalMachine\Root

If the command worked, you should see this:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16  CN=Amazon Root CA 1, O=Amazon, C=US

This will make the certificate available for all user accounts on the computer it is run on. If you don’t have admin access, you can change the last line with

Import-Certificate -FilePath $cert_file.FullName -CertStoreLocation Cert:\CurrentUser\Root

and the certificate will be added for the current user only.

If you’re old school like me and still rock using cmd.exe, you can also use certutil. First, you’ll need to download the certificate from https://www.amazontrust.com/repository/AmazonRootCA1.cer and save it somewhere on your computer.

Then launch the command prompt in administrative mode

image

and execute the following line:

certutil -addstore root <path-to-the-cert>

This will make the certificate available for all user accounts. If you don’t have admin access, you can add -user to install the certificate for the current user only like this

certutil -user -addstore root <path-to-the-cert>

If you still experience issues after running this script, do not hesitate to reach out through here or our support team.

We’re terribly sorry for the inconvenience. We’re going to look into how we can either warn our users in advance of such updates to the Amazon backend or how we can update the Python API so that this issue does not arise again.

JF

12 Likes