Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API Gateway custom domain certificate error

I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:

  • Using ACM, created a certificate for vitalservices-3.docriot.com.
  • In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".
  • In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.

When I run

curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod

I get

{"message":"Missing Authentication Token"}

which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run

curl https://vitalservices-3.docriot.com -k

But if I drop the -k and run

curl https://vitalservices-3.docriot.com

I get

curl: (60) SSL certificate problem: Invalid certificate chain . . .

How can I fix this?

EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.

I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.enter image description here

like image 767
Christopher Simmons Avatar asked Mar 13 '18 22:03

Christopher Simmons


People also ask

How do I use AWS API gateway with custom domain?

To provide a certificate for a custom domain name in a Region where ACM is supported, you must request a certificate from ACM. To provide a certificate for a Regional custom domain name in a Region where ACM is not supported, you must import a certificate to API Gateway in that Region.

How do I add a client certificate to AWS API gateway?

Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.


1 Answers

The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem, which is a bundle of certificates of public Certificate Authorities from Mozilla.

You can download cacert.pem from CURL's web site:

cacert.pem

More information about cacert.pem

like image 86
John Hanley Avatar answered Oct 04 '22 00:10

John Hanley