stackoom
  简体   繁体   中英

AWS ACM verified ALB SSL issue

 原文  2018-11-11 20:51:31       amazon-web-services/ ssl/ ssl-certificate/ amazon-elb/ aws-load-balancer

Question

I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.

I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it: 

Name: _xxxxxxxxxxx.test.example.com

Type: CNAME

Value: xxxxxx.xxx.acm-validations.aws.

I can use the DNS of ALB ( xxxx.us-east-1.elb.amazonaws.com ) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.

cURL:

Code: 

curl -X POST \
  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi \
  -H 'Content-Type: application/json' \
  -H 'cache-control: no-cache' \
  -d '{
    "paras1": "xxxxx"
}'

Error: 

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=test.example.com
*  start date: Nov 11 00:00:00 2018 GMT
*  expire date: Dec 11 12:00:00 2019 GMT
*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'

Python Requests:

Code: 

import requests

url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

payload = "{\"paras1\": \"xxxxx\"}"
headers = {
    'Content-Type': "application/json",
    'cache-control': "no-cache"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

Error: 

HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
Max retries exceeded with url: /prod/testapi 
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))

2 answers

solution1
 2 ACCPTED  2018-11-12 01:59:40

I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)

That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then: 

url = "https://test.example.com/prod/testapi"

solution2
 0  2018-11-11 22:12:56

Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway . https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS ACM SSL Protocol error Enabling SSL on a subdomain with AWS S3 and ACM AWS ACM wildcard ssl certificate not working on domain AWS ALB sticky cookie issue AWS ELB/ALB Multiple SSL Certicifates AWS ELB(ALB) rule check SSL expiry Aws acm api access to issue certificate Is SSL required on AWS ALB if I have SSL enabled on Cloudfront? Configure SSL certificate by ACM on single instance tomcat on AWS Configuring Gloo virtual service SSL with AWS ACM cert
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM