awslabs
aws-documentation-mcp-server: SSL CERTIFICATE_VERIFY_FAILED Unable to get local issuer certificate
Describe the bug
I have configured the MCP server in my VSCode in Windows PC like below..
"mcp-aws-docs" : { "type": "stdio", "command": "uvx", "args" : [ "--from", "awslabs.aws-documentation-mcp-server@latest", "awslabs.aws-documentation-mcp-server.exe" ], "env" : { "FASTMCP_LOG_LEVEL": "WARNING", "AWS_DOCUMENTATION_PARTITION": "aws", } }
When i try to invoke the "read_documentation" tool via agent, i am getting this SSL verification error in the output.
Failed to fetch https://docs.aws.amazon.com/<..> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate.
I am behind corporate network (zscalar). Please let me know how i can get this issue resolved.
Expected Behavior
MCP server was able to execute the tool without any SSL error.
Current Behavior
Receiving this error
Failed to fetch https://docs.aws.amazon.com/<..> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate.
Reproduction Steps
Configure this MCP server in VSCode in Windows PC as explained in the description.
Possible Solution
Provide an option to bypass SSL verification which user can set as environment variable similar to "NODE_TLS_REJECT_UNAUTHORIZED".
Additional Information/Context
No response
OS
Windows
Server
aws-documentation-mcp-server
Server Version
No response
Region experiencing the issue
global
Other information
No response
Service quota
- [x] I have reviewed the service quotas for this construct
I tried to use this MCP server via Strands SDK and still receive the same SSL error.
I have the same issue with Zscaler. From a brief glance at the code, it appears that the httpx library that the MCP server uses does not respect the system certificate store by default.
I'm unable to replicate the situation with a short self-contained correct example, https://sscce.org/. This StackOverflow has helped others behind corporate firewalls through these two environmental variables:
-
REQUESTS_CA_BUNDLE -
SSL_CERT_FILE
{
"mcp-aws-docs": {
"type": "stdio",
"command": "uvx",
"args": [
"--from",
"awslabs.aws-documentation-mcp-server@latest",
"awslabs.aws-documentation-mcp-server.exe"
],
"env": {
"FASTMCP_LOG_LEVEL": "WARNING",
"AWS_DOCUMENTATION_PARTITION": "aws",
"REQUESTS_CA_BUNDLE": "C:/PATH/cacert.pem",
"SSL_CERT_FILE": "C:/PATH/cacert.pem"
}
}
}
I have this issue also, also behind Zscaler and setting REQUESTS_CA_BUNDLE and SSL_CERT_FILE did not work for me
@AJD-UK Have you attempted to override the MCP_USER_AGENT environment variable, as outlined in the Corporate Network Support section of the Docs MCP readme?
I would use an updated one, which you can find through tools like what-is-my-user-agent.
Thanks for the info, I've actually resolved it now by reverting away from the fastmcp approach and back to http with the following config:
"aws-knowledge-mcp-server": {
"url": "https://knowledge-mcp.global.api.aws",
"type": "http",
"env": {
"REQUESTS_CA_BUNDLE": "/path/to/my/zscaler.pem",
"SSL_CERT_FILE": "/path/to/my/zscaler.pem",
}
},
As a heads up and clarification: that is also the aws-knowledge-mcp-server, which is different than the aws-documentation-mcp-server.
Thanks for the clarification. If the knowledge MCP server provides up-to-date documentation, is there any advantage by using the Documentation MCP server?
@AJD-UK It is entirely up to you to make that decision!
Both MCP Servers provide an entry into AWS Documentation, and both MCP Servers use a lot of the same ideas/approach to searching and reading AWS Documentation. The AWS Documentation MCP Server is a locally managed server and the AWS Knowledge MCP Server is a remotely managed server.