SSL certificate error trying to access Neptune DB via nginx reverse proxy

Question

I have two reverse proxies set up to access

1. OpenSearch
2. Neptune DB.

I use the public IP address of the EC2 instance in which ngnix is running and can sucessfully get results using their url's on the browser, either querying OpenSearch or Neptune DB with gremlin (i.e.: https://ec2-public-adress.amazonaws.com:NEPTUNEport/?gremlin=g.V().count().limit(2)).

However, when I try via gremlinpython client, I do not succeed due to an SSL certificate error.

from gremlin_python.driver import client

# Neptune connection setup
neptune_endpoint = os.environ.get('NEPTUNE_ENDPOINT')
neptune_port = os.environ.get('NEPTUNE_PORT')
neptune_uri = f'wss://{neptune_endpoint}:{neptune_port}/gremlin'
conn = client.Client(neptune_uri,'g')


# Gremlin query to retrieve sentenceID from the 'Sentences' label
query_existing_IDs = """
g.V().hasLabel('Sentences').values('sentenceID').limit(2)
"""

response = conn.submit(query_existing_IDs)
result = response.all().result()
print(result)

I get

aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host xxxx.compute-1.amazonaws.com:xxxx ssl:True [SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'xxxx.compute-1.amazonaws.com'. (_ssl.c:1002)")] Unclosed client session client_session: <aiohttp.client.ClientSession object at 0x000001D6BBD25390>

I tried writing "127.0.0.1 localhost xxx.compute-1.amazonaws.com:xxxx" to my hosts file and saving it, but with no success.

PS.: I do have to go through and forcedly ignore some warnings of insecure website when querying the databases from the browser. Probably relates to the SSL certificate failing too.

Answer 1

So this is working as expected. The SSL certs used by the Neptune service are only signed using the related Neptune endpoints (cluster endpoint, reader endpoint, and associated instance endpoint). If you send an HTTP request (through a proxy, for example) then the host header for that request is not going to equal any of the hostnames used in creating the SSL cert. Hence the SSL cert invalid response.

From a security perspective, it is generally bad practice to ignore SSL cert validation when making requests to a given service. I would suggest one of two approaches to handle this:

1. Establish a private connection to your VPC using a VPN connection (Site to Site or Client VPN connection). or
2. Use an ALB or NLB with TLS/SSL termination. This will also require attaching an SSL certificate to the ALB/NLB and will require the use of your own domain name. But this would be the most secure method as the request to the ALB/NLB would pass SSL certificate validation as well as the backend request going from the ALB/NLB to Neptune.

An alternative to these approaches is to put your middle-tier/API layer within the AWS VPC where Neptune is hosted. And then only expose your API endpoints publicly. If using AWS API Gateway, this becomes even more secure as you can enable things like API throttling and even front the API Gateway with a Web Application Firewall (WAF).