Don't use this answere as it might be equal to disabling certificate checks.

As pointed out by Le Hibou in the comments, ssl.Purpose.CLIENT_AUTH is meant for authenticating clients on the server side.

This value indicates that the context may be used to authenticate Web clients (therefore, it will be used to create server-side sockets).

Looking at the code for create_default_context() shows that certificate checks might be disabled or at least optional in this case.

I had the same error message (on Windows) and solved it with the following:

import aiohttp
import ssl


client = aiohttp.ClientSession()
client.post(
    'https://some.foo/bar/',
    json={"foo": "bar"},
    ssl=ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH))

This is using the ssl argument of request() to set a different SSL context than the default. The default is ssl.create_default_context().

The problem is that the default value for ssl.create_default_context() are:

ssl.create_default_context(purpose=Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None)

The Purpose.SERVER_AUTH doesn't seem to work when validating server certificates on the client side. Instead use Purpose.CLIENT_AUTH when validating as a client.

I suspect certificate validation chain is broken on your machine. On Ubuntu everything is working, as @dano mentioned.

Anyway, you may disable ssl validation by creating custom Connector instance:

import asyncio
import aiohttp

urls = [
    'http://www.whitehouse.gov/cea/',
    'http://www.whitehouse.gov/omb',
    'http://www.google.com']


def test_async():
    connector = aiohttp.TCPConnector(verify_ssl=False)
    for url in urls:
        try:
            r = yield from aiohttp.request('get', url, connector=connector)
        except aiohttp.errors.ClientOSError as e:
            print('bad eternal link %s: %s' % (url, e))
        else:
            print(r.status)


if __name__ == '__main__':
    print('async')
    asyncio.get_event_loop().run_until_complete(test_async())

BTW, requests library is shipped with own certificate bundle. Maybe we need to do the same for aiohttp?

UPD. See also https://github.com/aio-libs/aiohttp/issues/341

I had the same problem on an old Linux server with out of date CA root certificates, and loading certifi CA certificate bundle in a SSLContext fixed the issue.

import aiohttp
import ssl
import certifi

ssl_context = ssl.create_default_context(cafile=certifi.where())
async with aiohttp.ClientSession() as session:
    async with session.get('https://some.foo/bar/', ssl=ssl_context) as response:
        print(await response.text())