Api Gateway sometimes returns wrong certificate for my custom domain

0

I am calling an API Gateway Regional endpoint trough a custom domain SSL address, certificate is correctly associated to the custom domain. The DNS is mapped with a CNAME to d-xxxxxxxxxx.execute-api.eu-south-1.amazonaws.com

Most of the time it works fine, but "sometimes" (let's say 5% to 10%) an incorrect certificate is returned and the connection fails.

Specifically subject: CN is set as *.execute-api.eu-south-1.amazonaws.com instead of *.example.com.

See below examples with "curl -v" call where I replaced our custom domain with api.example.com and IP address with 123.123.123.123:

SUCCESS call example:

curl --location 'https://api.example.com/check' --header 'Content-Type: application/json' --data '{}' -v
*   Trying 123.123.123.123:443...
* TCP_NODELAY set
* Connected to api.example.com (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.example.com
*  start date: Feb 14 00:00:00 2023 GMT
*  expire date: Nov 15 23:59:59 2023 GMT
*  subjectAltName: host "api.example.com" matched cert's "*.example.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563914bbeb30)
> POST /AVM/check HTTP/2
> Host: api.example.com
> user-agent: curl/7.68.0
> accept: */*
> content-type: application/json
> content-length: 124
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
< HTTP/2 200 
< date: Fri, 30 Jun 2023 10:57:44 GMT
< content-type: application/json
< content-length: 121
< x-amzn-requestid: a2539ff0-56b6-4e7e-be1b-e52253296a89
< x-amz-apigw-id: HVE-UGEWMu8F0gA=
< x-amzn-trace-id: Root=1-649eb528-1f2b6b0f2c01686a7ca14df0;Sampled=0;lineage=6ad58234:0
< 
* Connection #0 to host api.example.com left intact
{}

ERROR call example:

curl --location 'https://api.example.com/check' --header 'Content-Type: application/json' --data '{}' -v
*   Trying 123.123.123.123:443...
* TCP_NODELAY set
* Connected to api.example.com (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.execute-api.eu-south-1.amazonaws.com
*  start date: Mar 29 00:00:00 2023 GMT
*  expire date: Apr 26 23:59:59 2024 GMT
*  subjectAltName does not match api.example.com
* SSL: no alternative certificate subject name matches target host name 'api.example.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'api.example.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I am been researching may posts online and carefully checking all the steps for custom domain and certificates but I remain clueless.

How comes this problem appears "sometimes"? If I add to curl the option to ignore certificate mismatch I always get successful response which means the endpoint is always correctly reached just the certificat is not correct on 5 to 10% of calls.

Thank you

2 Answers
1

Have you tried using an alias record rather than a CNAME record? https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-api-gateway.html

AWS
Sathesh
answered a year ago
0

Hi, did you also set up your custom domain also as a regional one like API GTW? If not, that may be the cause See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html

Hope it helps!

Didier

profile pictureAWS
EXPERT
answered a year ago
  • Thanks I double checked and yes, it's set as Regional in API GTW.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions