Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Api Gateway sometimes returns wrong certificate for my custom domain

0

I am calling an API Gateway Regional endpoint trough a custom domain SSL address, certificate is correctly associated to the custom domain. The DNS is mapped with a CNAME to d-xxxxxxxxxx.execute-api.eu-south-1.amazonaws.com

Most of the time it works fine, but "sometimes" (let's say 5% to 10%) an incorrect certificate is returned and the connection fails.

Specifically subject: CN is set as *.execute-api.eu-south-1.amazonaws.com instead of *.example.com.

See below examples with "curl -v" call where I replaced our custom domain with api.example.com and IP address with 123.123.123.123:

SUCCESS call example:

curl --location 'https://api.example.com/check' --header 'Content-Type: application/json' --data '{}' -v
*   Trying 123.123.123.123:443...
* TCP_NODELAY set
* Connected to api.example.com (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.example.com
*  start date: Feb 14 00:00:00 2023 GMT
*  expire date: Nov 15 23:59:59 2023 GMT
*  subjectAltName: host "api.example.com" matched cert's "*.example.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563914bbeb30)
> POST /AVM/check HTTP/2
> Host: api.example.com
> user-agent: curl/7.68.0
> accept: */*
> content-type: application/json
> content-length: 124
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
< HTTP/2 200 
< date: Fri, 30 Jun 2023 10:57:44 GMT
< content-type: application/json
< content-length: 121
< x-amzn-requestid: a2539ff0-56b6-4e7e-be1b-e52253296a89
< x-amz-apigw-id: HVE-UGEWMu8F0gA=
< x-amzn-trace-id: Root=1-649eb528-1f2b6b0f2c01686a7ca14df0;Sampled=0;lineage=6ad58234:0
< 
* Connection #0 to host api.example.com left intact
{}

ERROR call example:

curl --location 'https://api.example.com/check' --header 'Content-Type: application/json' --data '{}' -v
*   Trying 123.123.123.123:443...
* TCP_NODELAY set
* Connected to api.example.com (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.execute-api.eu-south-1.amazonaws.com
*  start date: Mar 29 00:00:00 2023 GMT
*  expire date: Apr 26 23:59:59 2024 GMT
*  subjectAltName does not match api.example.com
* SSL: no alternative certificate subject name matches target host name 'api.example.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'api.example.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I am been researching may posts online and carefully checking all the steps for custom domain and certificates but I remain clueless.

How comes this problem appears "sometimes"? If I add to curl the option to ignore certificate mismatch I always get successful response which means the endpoint is always correctly reached just the certificat is not correct on 5 to 10% of calls.

Thank you

Themen
ServerlosKalkulationFrontend-Web & MobileVernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
AWS LambdaAmazon API-GatewayAWS ZertifikatsmanagerDomain Name System (DNS)
Sprache
English
Ascanio
gefragt vor 10 Monaten455 Aufrufe
2 Antworten
1

Have you tried using an alias record rather than a CNAME record? https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-api-gateway.html

AWS
Sathesh
beantwortet vor 10 Monaten
0

Hi, did you also set up your custom domain also as a regional one like API GTW? If not, that may be the cause See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html

Hope it helps!

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 10 Monaten
  • Ascanio
    vor 10 Monaten

    Thanks I double checked and yes, it's set as Regional in API GTW.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt