Reputation: 143
AWS ACM verified ALB SSL issue
I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.
I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:
Name: _xxxxxxxxxxx.test.example.com
Type: CNAME
Value: xxxxxx.xxx.acm-validations.aws.
I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.
cURL:
Code:
curl -X POST \
https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi \
-H 'Content-Type: application/json' \
-H 'cache-control: no-cache' \
-d '{
"paras1": "xxxxx"
}'
Error:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=test.example.com
* start date: Nov 11 00:00:00 2018 GMT
* expire date: Dec 11 12:00:00 2019 GMT
* subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
Python Requests:
Code:
import requests
url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"
payload = "{\"paras1\": \"xxxxx\"}"
headers = {
'Content-Type': "application/json",
'cache-control': "no-cache"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Error:
HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443):
Max retries exceeded with url: /prod/testapi
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))
Upvotes: 1
Views: 3233
Answers (2)
Reputation: 1968
Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).
Upvotes: 1
Reputation: 178956
I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)
That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:
url = "https://test.example.com/prod/testapi"
Upvotes: 3
Related Questions
- Certificate authority SSL using AWS load balancer
- AWS Certificate Manager - How to create public certificate for internal ALB?
- How to setup SSL for EC2 with ACM?
- Getting net::ERR_CERT_COMMON_NAME_INVALID when accessing AWS ALB
- Imported SSL Cert not listed for ALB Listener
- Setting up HTTPS for ELB and EC2
- AWS Certificate Manager (ACM Certificate) with Elastic Beanstalk
- AWS ACM SSL Protocol error
- AWS ELB Server certificate trust
- SSL Error on using Amazon ELB