Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Synthetics canary doesn't pass certificate

0

We are using canary to try and hit an API endpoint through proxy. The connection requires mTLS therefore we provide a key and and certificate as part of the code. We've captured the traffic and we found out that the length of the certificate is 0, therefore we suspect that canary doesn't pass it through. The canary is based on the Hearbeat monitoring blueprint. I added the following snippet from how-to-validate-authentication-with-self-signed-certificates-in-amazon-cloudwatch-synthetics as instructed and modified a little bit.

        await page.setRequestInterception(true);

        const key = await getSecret(process.env.key);

        const cert = await getSecret(process.env.cert);

        log.info("Injecting request with certificate and key.");

        page.on("request", (interceptedRequest) => {
            const options = {
                method: interceptedRequest.method(),
                headers: interceptedRequest.headers(),
                body: interceptedRequest.postData(),
                cert: cert,
                key: key
            };
            const request = https
                .request(interceptedRequest.url(), options, function (response) {
                    response.on("data", function (data) {
                        interceptedRequest.respond({
                            status: response.statusCode,
                            contentType: response.headers["content-type"],
                            headers: response.headers,
                            body: data,
                        });
                    });
                })
                .on("error", function (err) {
                    console.error("Unable to call %s", options.uri, err);
                    return interceptedRequest.abort("connectionrefused");
                });
            request.end();
        });

The key and certificate are stored in secrets manager and are not empty.

Topics
Management & Governance
Tags
Amazon CloudWatch SyntheticsNetwork Security
Language
English
asked 10 months ago242 views
1 Answer
0

It seems the issue with the certificate might be due to how it's being handled in your Canary script. Ensure the certificate and key are correctly formatted and retrieved.

Check the https.request setup to confirm the cert and key options are properly used. Also, log the certificate and key lengths to verify they are not empty.

You can try this piece of code for additional debugging on what you do.

await page.setRequestInterception(true);

const key = await getSecret(process.env.key);
const cert = await getSecret(process.env.cert);

log.info("Injecting request with certificate and key.");
log.info("Certificate length: ", cert.length);
log.info("Key length: ", key.length);

page.on("request", (interceptedRequest) => {
    const options = {
        method: interceptedRequest.method(),
        headers: interceptedRequest.headers(),
        body: interceptedRequest.postData(),
        cert: cert,
        key: key,
        rejectUnauthorized: false // Only for testing, should be true in production
    };

    const request = https
        .request(interceptedRequest.url(), options, function (response) {
            let responseBody = '';
            response.on("data", function (data) {
                responseBody += data;
            });
            response.on("end", function () {
                interceptedRequest.respond({
                    status: response.statusCode,
                    contentType: response.headers["content-type"],
                    headers: response.headers,
                    body: responseBody,
                });
            });
        })
        .on("error", function (err) {
            console.error("Unable to call %s", interceptedRequest.url(), err);
            interceptedRequest.abort("connectionrefused");
        });

    request.end();
});
EXPERT
answered 10 months ago
  • JPMC_Canary
    10 months ago

    Thanks for the reply, I did add your snippet to my code. From the logs I see that the certificate and the key are not empty: 2024-09-16T10:25:38.469Z INFO: Injecting request with certificate and key. 2024-09-16T10:25:38.470Z INFO: Certificate length: 2302 2024-09-16T10:25:38.470Z INFO: Key length: 1889

    Unfortunately besides that, it didn't provide me with any new information in the logs. Could it be that the Synthetics library might be removing the certificate during its run?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content