Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

• Provide a path to update the root CA on affected clusters to include SKID and AKI extensions.
• Alternatively, offer an automated upgrade/migration strategy or mitigation to support Python 3.13+.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Recent versions of Python (3.13+) enforce stricter SSL certificate validation and require modern X.509 extensions (Subject Key Identifier and Authority Key Identifier) in the certificate chain.

EKS clusters originally created on Kubernetes v1.16 or earlier have a root CA certificate that lacks these required extensions. This causes Python 3.13+ clients (e.g., using requests, urllib3) to fail with CERTIFICATE_VERIFY_FAILED errors.

This is a blocker for services using these clusters with modern Python runtimes.

Impact:

• Affects all SSL connections from Python 3.13+ clients to EKS clusters created on Kubernetes ≤v1.16.
• Tools like curl, kubectl, and openssl continue to work, which can mask the issue.

Are you currently working around this issue?
Currently we have to use SKIP_TLS_VERIFY env for affected workloads.

Additional context

• The same issue with Elasticsearch (fixed)
• The same issue with Python kubernetes-client
• Similar request from 2019