The Python API relies on a list of certificates that is bundled with the API and on your machine in order to connect to the various webservices Shotgun uses. Unfortunately, new certificate authorities can be released and those might not be bundled with the Python API or OS.
While our Python API comes with a very recent copy of the certificates, as of February 21st 2019, there's a bug right now that prevents the API from using those certificates for Amazon S3 uploads, even if you are using the latest version of the API. For background please see this AWS blog post. To remediate the situation temporarily, you can try the following solutions. Note that these are temporary workarounds and we're looking into a long-term solution.
Add required CA certificate to the Windows Certificate Store. Windows 7 users may have to first upgrade to PowerShell 3.0 in order to use this solution, or alternatively use certutil to add the required certificate.
- Start an elevated PowerShell by right-clicking Start and then left-clicking Windows PowerShell (Admin)
- Paste the following commands into the PowerShell window and then press Return to execute:
$cert_url = "https://www.amazontrust.com/repository/SFSRootCAG2.cer"
$cert_file = New-TemporaryFile
Invoke-WebRequest -Uri $cert_url -UseBasicParsing -OutFile $cert_file.FullName
Import-Certificate -FilePath $cert_file.FullName -CertStoreLocation Cert:\LocalMachine\Root
- If details of the added certificate bearing thumbprint 925A8F8D2C6D04E0665F596AFF22D863E8256F3F are displayed then the operation is complete and PowerShell can be closed
If you are using the Python API only
1. Upgrade to the Python API v3.0.39
2a. Set SHOTGUN_API_CACERTS to /path/to/shotgun_api3/lib/httplib2/cacerts.txt
2b. Update your scripts and set the ca_certs=/path/to/shotgun_api3/lib/httplib2/cacerts.txt when instantiating the Shotgun object.
If you are using Toolkit
1. Upgrade to the latest version of the Toolkit API via the tank core command or by updating
the core/core_api.yml file of your pipeline configuration, depending on how you deploy Toolkit.
2. Download an up-to-date list of certificates at https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem
3. Set SHOTGUN_API_CACERTS to the location where you saved this file. Toolkit doesn't allow you to specify the ca_certs parameter when creating connections unfortunately like the Python API does.
If you can’t update the Python API or Toolkit
1. Download an up-to-date list of certificates at https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem
2. Set the SSL_CERT_FILE environment variable to the location where you saved this file.