- Newest
- Most votes
- Most comments
The issue you're experiencing with the AWS SDK for C++ on Amazon Linux 2023 while trying to invoke an API Gateway endpoint is likely related to SSL certificate verification. Since the problem is resolved when you set verifySSL = false
, it suggests that the SDK is unable to verify the SSL certificate of the API Gateway endpoint on the Amazon Linux system.
To resolve this issue without disabling SSL verification, you can try the following approaches:
-
Update the CA certificates: Ensure that your Amazon Linux 2023 instance has up-to-date CA certificates. You can update them using the package manager:
sudo yum update ca-certificates
-
Specify the CA bundle path: If updating the certificates doesn't resolve the issue, you can explicitly specify the path to the CA bundle in your AWS SDK configuration:
Aws::Client::ClientConfiguration ClientConfig; ClientConfig.caFile = "/etc/pki/tls/certs/ca-bundle.crt";
-
Use a custom HTTP client: The AWS SDK for C++ allows you to override the default HTTP client. On Linux, the default HTTP client is curl. You can create a custom HTTP client factory that uses curl with system certificates:
#include <aws/core/http/curl/CurlHttpClient.h> auto httpClientFactory = Aws::MakeShared<Aws::Http::CurlHttpClientFactory>(ALLOCATION_TAG); Aws::Http::SetHttpClientFactory(httpClientFactory);
Make sure your SDK is built with curl support, which is the default for Linux systems.
-
Check system time: Ensure that your Amazon Linux 2023 instance has the correct system time, as certificate validation can fail if the system clock is significantly off.
-
Verify DNS resolution: Make sure your system can properly resolve the API Gateway endpoint's domain name.
If none of these solutions work, you may need to investigate further by enabling detailed logging in the AWS SDK to identify the specific SSL verification error.
Remember, disabling SSL verification (setting verifySSL = false
) should only be used for testing purposes and never in a production environment, as it compromises the security of your application.
Sources
Override your HTTP client - AWS SDK for C++
Hello,
When setting the verifySSL = false, the invoke is successful this means that the issue might be related to SSL/TLS certificate verification this is because when you disable certificate verification, the client will not validate the server's SSL/TLS certificate.
To troubleshoot the issue, you can follow the below steps:
- Make sure you have installed the root CA in your AmazonLinux 2023 instance.
[+] https://docs.aws.amazon.com/linux/al2023/ug/SSL-on-amazon-linux-2023.html
-
Update CA certificates, you can use the command - sudo yum update ca-certificates
-
Set the system's CA bundle for certificate verification by explicity setting the caBundle or caFile path in the ClientConfiguration.
-
Enable verbose logging in the AWS SDK to get more information about the SSL handshake:
Aws::Utils::Logging::InitializeAWSLogging( Aws::MakeSharedAws::Utils::Logging::ConsoleLogSystem( "RunTimeLog", Aws::Utils::Logging::LogLevel::Trace));
You can verify the logs to get more information about the SSL/TLS handshake process and any errors that might be occurring.
Relevant content
- Accepted Answerasked 4 years ago
- Accepted Answerasked 5 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago