By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

API Gateway Intermittent SSL_connect: Connection reset by peer

0

Infra overview

An API Gateway http API with custom domain name(let's use autocomplete.example.com) with Lambda integrations. I use ACM managed certificate for *.example.com. Everything's working fine for more than a year. Then government started banning aws resources(IP or I don't know how they are banning these, we are having a hard to accessing even AWS Console and sometimes, our websites hosted on CloudFront and API hosted on EC2 are also blocked. ). Today, we are facing intermittent request failure to autocomplete.example.com. I check with curl and below is unsuccessful requests.

curl -i https://autocomplete.example.com/flight?q=lax -k
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to autocomplete.example.com:443

I checked with openssl command too. Below are successful and unsuccessful requests.

Successful Request

openssl s_client -connect autocomplete.example.com:443 -servername example.com
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = *.execute-api.ap-southeast-1.amazonaws.com
verify return:1

Just one thing here, why the certificates chain pointing to *.execute-api.ap-southeast-1.amazonaws.com here?

Failed request

openssl s_client -connect autocomplete.example.com:443 -servername example.com
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Note: Since this is my very first time asking here, please forgive me if my question is out of format or needs some detail.

Updated: I wrote a python script that called autocomplete.example.com 100 times and print successful/fail request count and ran it on my laptop which is in Myanmar(Burma) with around 45% fail rate. I then ran the same script on an EC2 instance hosted in Singapore Region (same as API Gateway) and it has 0% fail rate.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
asked a year ago291 views
2 Answers
0
Accepted Answer

I'm not entirely sure what the question is here. I assume it is "why am I seeing failures connecting to API Gateway from network X and not from network Y". The logical answer is that there is something in network X which is "interfering" with your connections. You've pretty much proved that already because you tried connecting to API Gateway from a different network location (an EC2 instance) and it works 100% of the time.

If there is something transparent in your network connection which is proving unreliable then you need to find and fix that thing; or avoid it somehow. That's not really easy in a lot of cases because most of the network that everyone traverses on the internet in general is completely out of our control.

AWS
EXPERT
answered a year ago
AWS
EXPERT
reviewed 3 months ago
  • Ye Htet Maung Maung
    a year ago

    Why the certificates chain pointing to *.execute-api.ap-southeast-1.amazonaws.com . Shouldn't it be *.example.com?

0

It happened because the Government started banning random network traffic.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content