By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWSCppSDK Http request not working with AmazonLinux for some reason

0

I am trying to invoke an API Gateway endpoint using CPP SDK. The script is running fine on Windows. But when deployed on Amazon Linux 2023, I get response -1,REQUEST_NOT_MADE.

Aws::Client::ClientConfiguration ClientConfig;

If I do ClientConfig.verifySSL = false; I am getting proper response and client is communicating with the server. So I wonder what should I do to make the code work without setting verifySSL to false.

Curl works on the endpoint. The endpoint is https API Gateway with certificate from AWS certificate manager. So server side SSL certificate issue doesn't seem to be the issue here.

How to resolve this?

2 Answers
0

The issue you're experiencing with the AWS SDK for C++ on Amazon Linux 2023 while trying to invoke an API Gateway endpoint is likely related to SSL certificate verification. Since the problem is resolved when you set verifySSL = false, it suggests that the SDK is unable to verify the SSL certificate of the API Gateway endpoint on the Amazon Linux system.

To resolve this issue without disabling SSL verification, you can try the following approaches:

  1. Update the CA certificates: Ensure that your Amazon Linux 2023 instance has up-to-date CA certificates. You can update them using the package manager:

    sudo yum update ca-certificates
    
  2. Specify the CA bundle path: If updating the certificates doesn't resolve the issue, you can explicitly specify the path to the CA bundle in your AWS SDK configuration:

    Aws::Client::ClientConfiguration ClientConfig;
    ClientConfig.caFile = "/etc/pki/tls/certs/ca-bundle.crt";
  3. Use a custom HTTP client: The AWS SDK for C++ allows you to override the default HTTP client. On Linux, the default HTTP client is curl. You can create a custom HTTP client factory that uses curl with system certificates:

    #include <aws/core/http/curl/CurlHttpClient.h>
    
    auto httpClientFactory = Aws::MakeShared<Aws::Http::CurlHttpClientFactory>(ALLOCATION_TAG);
    Aws::Http::SetHttpClientFactory(httpClientFactory);

    Make sure your SDK is built with curl support, which is the default for Linux systems.

  4. Check system time: Ensure that your Amazon Linux 2023 instance has the correct system time, as certificate validation can fail if the system clock is significantly off.

  5. Verify DNS resolution: Make sure your system can properly resolve the API Gateway endpoint's domain name.

If none of these solutions work, you may need to investigate further by enabling detailed logging in the AWS SDK to identify the specific SSL verification error.

Remember, disabling SSL verification (setting verifySSL = false) should only be used for testing purposes and never in a production environment, as it compromises the security of your application.
Sources
Override your HTTP client - AWS SDK for C++

profile picture
answered 13 days ago
0

Hello,

When setting the verifySSL = false, the invoke is successful this means that the issue might be related to SSL/TLS certificate verification this is because when you disable certificate verification, the client will not validate the server's SSL/TLS certificate.

To troubleshoot the issue, you can follow the below steps:

  1. Make sure you have installed the root CA in your AmazonLinux 2023 instance.

[+] https://docs.aws.amazon.com/linux/al2023/ug/SSL-on-amazon-linux-2023.html

  1. Update CA certificates, you can use the command - sudo yum update ca-certificates

  2. Set the system's CA bundle for certificate verification by explicity setting the caBundle or caFile path in the ClientConfiguration.

  3. Enable verbose logging in the AWS SDK to get more information about the SSL handshake:

Aws::Utils::Logging::InitializeAWSLogging( Aws::MakeSharedAws::Utils::Logging::ConsoleLogSystem( "RunTimeLog", Aws::Utils::Logging::LogLevel::Trace));

You can verify the logs to get more information about the SSL/TLS handshake process and any errors that might be occurring.

AWS
answered 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions