I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:
When I run
curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod
I get
{"message":"Missing Authentication Token"}
which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run
curl https://vitalservices-3.docriot.com -k
But if I drop the -k and run
curl https://vitalservices-3.docriot.com
I get
curl: (60) SSL certificate problem: Invalid certificate chain . . .
How can I fix this?
EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.
I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.
To provide a certificate for a custom domain name in a Region where ACM is supported, you must request a certificate from ACM. To provide a certificate for a Regional custom domain name in a Region where ACM is not supported, you must import a certificate to API Gateway in that Region.
Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.
The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem
, which is a bundle of certificates of public Certificate Authorities from Mozilla.
You can download cacert.pem from CURL's web site:
cacert.pem
More information about cacert.pem
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With