[英]Hostname/IP does not match certificate's altnames
I'm working on a REST API that itself makes requests to another REST API -- basically, it provides a more convenient interface and also some extra functionality. I'm working on a REST API that itself makes requests to another REST API -- basically, it provides a more convenient interface and also some extra functionality. Let's call my REST API X and the REST API to which my API calls Y .
Let's call my REST API X and the REST API to which my API calls Y .
Whenever I make requests to the endpoints of Y on my machine with cURL, REST Client, etc;每当我使用 cURL、REST 客户端等向我的机器上的Y端点发出请求时; all requests are successful.
所有请求都成功。 Like I mentioned, my API X is acting as a wrapper to Y , so when I upload my API to aws Lambda and create the respective endpoints in API Gateway, when I make a request to one of the endpoints I get this message:
Like I mentioned, my API X is acting as a wrapper to Y , so when I upload my API to aws Lambda and create the respective endpoints in API Gateway, when I make a request to one of the endpoints I get this message:
Hostname/IP does not match certificate's altnames: Host: X.execute-api.us-west-2.amazonaws.com.
主机名/IP 与证书的替代名称不匹配:主机:X.execute-api.us-west-2.amazonaws.com。 is not in the cert's altnames: DNS:somehostname.com
不在证书的替代名称中:DNS:somehostname.com
So far, I have uploaded two lambdas with their respective endpoints, and the problem above only seems to be happening for one of the endpoints (the request to the other endpoint happens without problem).到目前为止,我已经上传了两个带有各自端点的 lambda,并且上面的问题似乎只发生在其中一个端点上(对另一个端点的请求没有问题)。
I would like to know why this is happening and if this is a problem on my side?我想知道为什么会这样,如果这对我来说是个问题? Meaning, is there something I am forgetting or something I can do -- except bypassing some security mechanism -- to fix this on my side?
意思是,有什么我忘记了或者我可以做些什么——除了绕过一些安全机制——来解决这个问题吗? Whenever I make requests to the original API Y on my machine I'm not getting any errors so I'm a bit puzzled by this.
每当我在我的机器上向原始 API Y发出请求时,我都没有收到任何错误,所以我对此有点困惑。
I think you're missing how SSL certificates work.我认为您缺少 SSL 证书的工作方式。 Depending on how the certificate is setup for "API Y" you can't just connect to a different server and have it work.
根据为“API Y”设置证书的方式,您不能只连接到不同的服务器并让它工作。 While you are conceptually a proxy to the real back end from the client perspective, you're a totally different host and the SSL certificate is for "API Y" only.
虽然从客户端的角度来看,您在概念上是真正后端的代理,但您是完全不同的主机,SSL 证书仅适用于“API Y”。
This is the same reason that you can't decide that you want to have an API named trustme.google.com
- you don't have control over the google.com
domain (presumably).这与您无法决定要拥有名为
trustme.google.com
的 API 的原因相同 - 您无法控制google.com
域(大概)。
If there is a way to change the hostname that your client connections are using (to something like proxy.yourdomain.tld
) then you can setup an SSL certificate for that domain and things should work.如果有办法更改您的客户端连接使用的主机名(更改为
proxy.yourdomain.tld
类的名称),那么您可以为该域设置一个 SSL 证书,并且一切正常。 However, at that point you may run into CORS issues - post again if you have that issue.但是,此时您可能会遇到 CORS 问题 - 如果您遇到该问题,请再次发布。
AWS documents how to setup your own SSL certificate for API gateway. AWS 记录了如何为 API 网关设置您自己的 SSL 证书。 It's pretty easy though if you have an existing certificate you may need to use the AWS certificate manager to get a (free) certificate for your API.
这很容易,但如果您有现有的证书,您可能需要使用 AWS 证书管理器为您的 API 获取(免费)证书。
I also developed a HTTP client -> APIG endpoint -> Lambda -> Host
application, where the Lambda
acts as a proxy between the client and the 3rd party Host.我还开发了一个
HTTP client -> APIG endpoint -> Lambda -> Host
应用程序,其中Lambda
充当客户端和第三方主机之间的代理。 My Lambda is written in Node.js.我的 Lambda 是用 Node.js 编写的。 I was getting this same exact error when the Lambda tried to invoke the 3rd party Host,
当 Lambda 尝试调用第 3 方主机时,我遇到了同样的错误,
{
"statusCode": 500,
"body": "Hostname/IP does not match certificate's altnames: Host: zyxfghsk.execute-api.us-east-1.amazonaws.com. is not in the cert's altnames: DNS:*.somehost.com, DNS:somehost.com"
}
My setup uses Lambda Proxy integration with APIG, and I pass the set of HTTP headers from the client as-is to the 3rd party Host.我的设置使用 Lambda 代理与 APIG 集成,我将 HTTP 标头集从客户端按原样传递给第 3 方主机。 I noticed the headers contained header
Host: zyxfghsk.execute-api.us-east-1.amazonaws.com
, which I think comes from the client.我注意到标题包含 header
Host: zyxfghsk.execute-api.us-east-1.amazonaws.com
,我认为它来自客户端。 So in the Lambda code, right before passing the request to the 3rd party Host, I just simply delete the Host
header from the request, and the problem went away.所以在 Lambda 代码中,在将请求传递给第 3 方主机之前,我只是简单地从请求中删除
Host
header,问题就消失了。 Another approach I was trying earlier, which also works, but not as ideal is that I was setting NODE_TLS_REJECT_UNAUTHORIZED=0
in the Node.js environment, which effectively disables SSL certificate validation by Node.js.我之前尝试的另一种方法也有效,但不太理想是我在 Node.js 环境中设置
NODE_TLS_REJECT_UNAUTHORIZED=0
,这有效地禁用了 Z3B2819DD4C249EDA2F1Z 的 SSL 证书验证。 I believe, though not 100% certain, that in my case at least the error was getting thrown by Node.js certificate validation.我相信,虽然不是 100% 肯定,但在我的情况下,至少 Node.js 证书验证会引发错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.