By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS API Gateway integration with an NLB with ACM issued private cert resulting in SSL error

0

Here's my context

  • EC2 instances hosting a REST API microservice
  • A Network Load Balancer that fronts the EC2 instances with a port 443 Listener that has an ACM issued Private SSL cert installed on it
  • I have created a VPC link to that NLB.
  • Created an instance of the API Gateway and defined a method on it.

When I try to invoke the method, I get the following error as a result:

Execution failed due to....PKIX path building failed:...certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Why is that the AWS API Gateway is encountering issues connecting to an NLB that uses an ACM issued Private cert?

Any help would be appreciated.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS Certificate ManagerNetwork Load Balancer
Language
English
rePost-User-5508452
asked a year ago428 views
3 Answers
1
Accepted Answer

I had the same issue. API Gateway does not accept private signed certificates even from ACM. you'd need a public certificate validated. You can even use Letsencrypt.com or an Amazon Public Certificate validated by DNS. Heres' the documentation of the accepted entities: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-supported-certificate-authorities-for-http-endpoints.html

mleonrivas
answered a year ago
  • rePost-User-5508452
    a year ago

    Yes ... that's exactly what we ended up doing after contacting AWS Support. I was informed that API Gateway does not accept private certs. So had to get a proper cert and install that on the Listener and that resolved the issue.

0

Just to double check with you, are you sure the integration type you choose is Proxy? review this step by step guide to bee 100% sure that your architecture is aligned with API GW private integrations: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-with-private-integration.html

Best,

profile pictureAWS
JuanEn_G
answered a year ago
  • rePost-User-5508452
    a year ago

    Hi Juan ... thank you very much for the reply. I don't understand the need for the Proxy integration. My API Gateway method invocation works if I have a plain TCP/80 listener on the NLB. But when I switch over to TLS/443 listener endpoint with a private ACM cert on the NLB, I get this error. How can I setup my API Gateway integration so that I don't get this error.

0

The thing is that the behaviour changes depending if you are using SSL/TLS (port 443) or HTTP (port 80), with the second one the connection terminates at the APIGW but no TLS negotiation needed, so no checks like the domain name or similar. With a SSL/TLS connection occurs the same, but the TLS termination happens on API GW not on your backend, so using the proxy mechanism the TLS will change the behaviour.

Best,

profile pictureAWS
JuanEn_G
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content