SSL: CERTIFICATE_VERIFY_FAILED error when trying to install AwsReplicationWindowsInstaller.exe in Windows

Voiced by Amazon Polly

In this post, Marc Gadsdon walks you through the steps to install the AWS Application Migration Replication Agent if you hit the SSL: CERTIFICATE_VERIFY_FAILED error.

Error

Installing the AWS Application Migration Replication Agent in Windows fails with an SSL Certificate Error

Whilst setting up a small migration using AWS Application Migration Service to migrate some legacy Windows IIS hosts I ran into a problem getting the replication agent installer to run. I couldn’t find an obvious answer, so thought I’d document how I resolved the problem – hopefully this helps a few people out.

I was trying to run AwsReplicationWindowsInstaller.exe which is the AWS Application Migration Replication Agent installer – the instructions are documented at https://docs.aws.amazon.com/mgn/latest/ug/windows-agent.html. Every time I ran the .exe, it would fail with an SSL certificate verification error after the step where it prompts for the Region.

The full error message was

urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

Searching for this error indicates a python problem and most roads lead to a Stackoverflow article where a solution for Windows is to update the Python install. However, in my case, Python wasn’t installed and I needed to resolve the issue with the packaged .exe (which I assume is using Python as the above error is clearly a Python error).

The Solution

Based on the Stackoverflow answers, I figured the issue was a missing root cert. I was able to solve the problem by importing the AWS root certificate chain into Windows’ Trusted Root Certification Authorities cert store.

Solution Summary

  1. Download the AWS root certificate chain .pem – I used Firefox > show certificate details
  2. Install into Trusted Root Certification Authorities/Certificates using Windows Certificate manager MMC snapin
  3. Rerun AwsReplicationWindowsInstaller.exe

Resolution Steps in Detail

  1. In a browser, visit the base url listed in the error – mine was `https://aws-application-migration-service-eu-west-2.s3.eu-west-2.amazonaws.com/latest/windows/`
  2. Use your browser to view the cert – in Firefox it looks like this:
  3. Firefox view certificate details
  4. Firefox view certificate details 2
  5. Firefox view certificate details 2
  6. Download the PEM (Chain) file
  7. Download the chain pem file
  8. Now navigate to the Local Computer Certificates snapin in MMC and drill down to the  Trusted Root Certification Authorities/Certificates
  9. Trusted root import
  10. Action > All Tasks > Import
  11. Import the cert
  12. The wizard will open – hit Next
  13. Browse to the pem chain file you downloaded and hit Next
  14. Select the pem file
  15. Make sure the Trusted Root Certification Authorities location is selected and hit Next
  16. Select certificate import location
  17. Review the default and hit Finish.
  18. Now rerun AwsReplicationWindowsInstaller.exe and all should be well.

 

So there you have it – if you run into this error you know what to do to fix it!  If you need help with your AWS migration be sure to check out our AWS Migration Service and get in touch if you’d like to discuss your project.

You Might Be Also Interested In These...

Money growth vector illustration, flat golden coins pile with revenue graph, concept of income increase or earnings, financial boost chart, success capital investment, cash budget isolated

Don’t get Caught Out by AWS Data Egress Fees…

It’s no secret that AWS, like most cloud providers, charge nothing for data ingress.  It’s free to put your data in to the cloud, yet they do charge for data egress – getting your data back out again.  This fact is often overlooked when modelling the business case for cloud versus on premise. Recently NASA […]

View Post
AWS Snowball

AWS Snowball: What Does Amazon’s Import/Export Appliance Cost?

AWS Import Export with Snowball Originally a single device used for migrating data into AWS, Snowball is now part of the AWS Snow family of services used for both speeding up data import and export to and from AWS, and for secure edge computing. The AWS Snowball family includes: AWS Snowball Edge Storage Optimized AWS […]

View Post
6 Rs of cloud migration - Graphic depicting all the aspects of cloud migration

What Are the 6 Rs of Cloud Migration?

When looking to migrate your on-premises IT infrastructure and applications to the public cloud, there are six strategies that you can adopt. It is important to analyze your existing application portfolio and categorize them against the 6 Rs so you can build out your public cloud migration plan. What Exactly Are the 6 Rs? In 2011 […]

View Post
ebook featured image

5 Steps to a Successful

AWS Migration

DOWNLOAD FREE EBOOK