Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS API Gateway integration with an NLB with ACM issued private cert resulting in SSL error

0

Here's my context

  • EC2 instances hosting a REST API microservice
  • A Network Load Balancer that fronts the EC2 instances with a port 443 Listener that has an ACM issued Private SSL cert installed on it
  • I have created a VPC link to that NLB.
  • Created an instance of the API Gateway and defined a method on it.

When I try to invoke the method, I get the following error as a result:

Execution failed due to....PKIX path building failed:...certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Why is that the AWS API Gateway is encountering issues connecting to an NLB that uses an ACM issued Private cert?

Any help would be appreciated.

Temas
Sin servidorWeb y móvil front-endRedes y entrega de contenidoSeguridad, identidad y cumplimiento
Etiquetas
Amazon API GatewayAWS Certificate ManagerBalanceador de carga de red
Idioma
English
rePost-User-5508452
preguntada hace un año442 visualizaciones
3 Respuestas
1
Respuesta aceptada

I had the same issue. API Gateway does not accept private signed certificates even from ACM. you'd need a public certificate validated. You can even use Letsencrypt.com or an Amazon Public Certificate validated by DNS. Heres' the documentation of the accepted entities: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-supported-certificate-authorities-for-http-endpoints.html

mleonrivas
respondido hace un año
  • rePost-User-5508452
    hace un año

    Yes ... that's exactly what we ended up doing after contacting AWS Support. I was informed that API Gateway does not accept private certs. So had to get a proper cert and install that on the Listener and that resolved the issue.

0

Just to double check with you, are you sure the integration type you choose is Proxy? review this step by step guide to bee 100% sure that your architecture is aligned with API GW private integrations: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-with-private-integration.html

Best,

profile pictureAWS
JuanEn_G
respondido hace un año
  • rePost-User-5508452
    hace un año

    Hi Juan ... thank you very much for the reply. I don't understand the need for the Proxy integration. My API Gateway method invocation works if I have a plain TCP/80 listener on the NLB. But when I switch over to TLS/443 listener endpoint with a private ACM cert on the NLB, I get this error. How can I setup my API Gateway integration so that I don't get this error.

0

The thing is that the behaviour changes depending if you are using SSL/TLS (port 443) or HTTP (port 80), with the second one the connection terminates at the APIGW but no TLS negotiation needed, so no checks like the domain name or similar. With a SSL/TLS connection occurs the same, but the TLS termination happens on API GW not on your backend, so using the proxy mechanism the TLS will change the behaviour.

Best,

profile pictureAWS
JuanEn_G
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante