UFO uses the AWS Ruby SDK and the underlying default SSL certificate chain configured in your active Ruby and OpenSSL to communicate to your AWS environment. This means that you must correctly configure your Ruby and OpenSSL to have all the needed ROOT certificates for UFO to be able to communicate to AWS - especially if you are behind a proxy or a corporate SSL-Proxy.
If you are behind a corporate SSL proxy and you have not updated system, OpenSSL and Ruby certificate chains. You’ll need to include the needed corporate root certificates, you will see errors, such as:
Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock' ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect' ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:996:in `connect' ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:930:in `do_start' ~/.rbenv/versions/2.6.0/lib/ruby/2.6.0/net/http.rb:925:in `start'
docs/utils directory has a few scripts that should be able to help you resolve these issues and track down which certs are giving you problems.
ssl-doctor.rbis from the very useful examples at https://github.com/mislav/ssl-tools, and it can help you find the missing ROOT cert in your certificate chain and give suggestion on getting OpenSSL working correctly.
update-cert-chains.shwill help you update your Ruby and OpenSSL chains by adding in the missing ROOT cert and also pulling in the OSX System Root to your rbenv environment.
test-aws-api-access.rbshould now return a list of the S3 buckets for the current AWS profile that is active.
Update Brew and OpenSSL
brew upgrade openssl
Use the Helper Scripts to find the trouble spot
Once you have updated OpenSSL and your
brew packages, use the helper scripts above to see if you can track down the missing certificate in your certificate chain.
update-cert-chain.sh file was created using the suggestions from https://gemfury.com/help/could-not-verify-ssl-certificate/. Please review the information at https://gemfury.com/help/could-not-verify-ssl-certificate/ if the
Helper Scripts above do not fully resolve your issue.
test-aws-api-access.rb uses examples from the https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/quick-start-guide.html for using and configuring the Ruby AWS SDK on your system.