-
Notifications
You must be signed in to change notification settings - Fork 327
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
- Provide a path to update the root CA on affected clusters to include SKID and AKI extensions.
- Alternatively, offer an automated upgrade/migration strategy or mitigation to support Python 3.13+.
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Recent versions of Python (3.13+) enforce stricter SSL certificate validation and require modern X.509 extensions (Subject Key Identifier and Authority Key Identifier) in the certificate chain.
EKS clusters originally created on Kubernetes v1.16 or earlier have a root CA certificate that lacks these required extensions. This causes Python 3.13+ clients (e.g., using requests, urllib3) to fail with CERTIFICATE_VERIFY_FAILED
errors.
This is a blocker for services using these clusters with modern Python runtimes.
Impact:
- Affects all SSL connections from Python 3.13+ clients to EKS clusters created on Kubernetes ≤v1.16.
- Tools like curl, kubectl, and openssl continue to work, which can mask the issue.
Are you currently working around this issue?
Currently we have to use SKIP_TLS_VERIFY
env for affected workloads.
Additional context