I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done: <ul> <li>Using ACM, created a certificate for vitalservices-3.docriot.com.</li> <li>In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".</li> <li>In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.</li> </ul> When I run <pre class="prettyprint"><code>curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod </code></pre> I get <pre class="prettyprint"><code>{"message":"Missing Authentication Token"} </code></pre> which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run <pre class="prettyprint"><code>curl https://vitalservices-3.docriot.com -k </code></pre> But if I drop the -k and run <pre class="prettyprint"><code>curl https://vitalservices-3.docriot.com </code></pre> I get <pre class="prettyprint"><code>curl: (60) SSL certificate problem: Invalid certificate chain . . . </code></pre> How can I fix this? EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority. I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.<img src="https://i.stack.imgur.com/RMmhD.png" alt="enter image description here">

The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file <code>cacert.pem</code>, which is a bundle of certificates of public Certificate Authorities from Mozilla. You can download cacert.pem from CURL's web site: cacert.pem More information about cacert.pem

API Gateway custom domain certificate error

I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:

Using ACM, created a certificate for vitalservices-3.docriot.com.
In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".
In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.

When I run

curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod

I get

{"message":"Missing Authentication Token"}

which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run

curl https://vitalservices-3.docriot.com -k

But if I drop the -k and run

curl https://vitalservices-3.docriot.com

I get

curl: (60) SSL certificate problem: Invalid certificate chain . . .

How can I fix this?

EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.

I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info. enter image description here

How do I use AWS API gateway with custom domain?

To provide a certificate for a custom domain name in a Region where ACM is supported, you must request a certificate from ACM. To provide a certificate for a Regional custom domain name in a Region where ACM is not supported, you must import a certificate to API Gateway in that Region.

How do I add a client certificate to AWS API gateway?

Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.

The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem, which is a bundle of certificates of public Certificate Authorities from Mozilla.

You can download cacert.pem from CURL's web site:

cacert.pem

More information about cacert.pem

API Gateway custom domain certificate error

Tags:

ssl

amazon-web-services

aws-api-gateway

Christopher Simmons

People also ask

1 Answers

John Hanley

Recent Activity

Donate For Us

API Gateway custom domain certificate error

Tags:

ssl

amazon-web-services

aws-api-gateway

Christopher Simmons

People also ask

1 Answers

John Hanley

Related questions

Recent Activity

Donate For Us