If you are trying to configure Amazon Web Services (AWS) CLI on your work laptop, there’s a better chance that it might get blocked by the corporate device management tools. This is usually due to the intermediate SSL certificate that is being issued by the MDM tools to each device.
The Error usually looks like below:
ssl validation failed for https://s3.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)To fix the issue I have tried the following 2 methods. One of those might work for you.
Option 01
1. Run ->
curl https://ec2.${EC2_REGION}.amazonaws.com/ --verbose
2. Copy the existing cert path from the curl output.
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
3. Set the env variable ->
export AWS_CA_BUNDLE=/etc/ssl/cert.pem
4. update the config file in ~/.aws/
[default]
region = us-east-1
output = json
ca_bundle = /etc/ssl/cert.pem
Original Post: https://github.com/aws/aws-cli/issues/2690#issuecomment-497856869Option 02:
1. Run the following command in the CLI to get the certificates.
openssl s_client -showcerts -verify 5 -servername ec2.us-west-2.amazonaws.com -connect ec2.us-west-2.amazonaws.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done
2. RUN the following to combine all that and make a .pem file (rename the certs properly)
cat cert2.pem cert3.pem cert4.pem >ca_bundle.pem
3. Copy the file to ~/.aws/ path as ca_bundle.pem and update the config file.
4. Update the env variable with the above cert path which updated in the aws config file
export AWS_CA_BUNDLE=~/.aws/ca_bundle.pemI hope these quick tips will help to troubleshoot the issue. Cheers!
We Are All Made of Stars 
Leave a comment