Here is the scenario:
You are trying to pull Sandbox app from Amplify and complete data model using the command:
amplify pull --sandboxId "AppGUID."
and you get the error message :
"Failed to pull sandbox app: request to https://production.us-east-1.appstate.amplifyapp.com/AppState/"AppGUID" failed, reason: unable to get local issuer certificate"
The solution which generally works:
Log off company VPN if you are connecting to your organization's VPN. You will find this solution when you google the error. Well, problem solved, RIGHT?
It worked for me, and I was able to pull the application to local with the complete data model.Curious and Open Question :
But the question is why it even happened ????? Please read if you are curious and not just looking for an easy solution without knowing the actual cause.
I performed a few tests using OpenSSL to understand the complete communication between client and server. One of the simpler commands you can use is the -connect command:
openssl s_client -connect production.us-east-1.appstate.amplifyapp.com:443
After reading the article below, I learned that the proxy servers don't perform automatic checks for certificate chaining like browsers do by using the AIA (Authority Information Access) field in the certificate.
refer to this article for intermediate certificate :https://blogs.cisco.com/security/where-is-my-intermediate-tls-certificate
The leading cause seems to missing intermediate certificates in the proxy server, hence the error "unable to get local issuer certificate." In the case of proxy servers, one solution is to import the missing certificates to the device certificate store to get it working.
Hope this explains the root cause of the issue, which is generic and not specific to only this scenario.