API Gateway custom domain certificate error

Question

I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:

Using ACM, created a certificate for vitalservices-3.docriot.com.
In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".
In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.

When I run

curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod

I get

{"message":"Missing Authentication Token"}

which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run

curl https://vitalservices-3.docriot.com -k

But if I drop the -k and run

curl https://vitalservices-3.docriot.com

I get

curl: (60) SSL certificate problem: Invalid certificate chain . . .

How can I fix this?

EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.

I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.

Did you create a manage certificate in ACM or did you upload one? Does the machine you're testing on trust Amazon's root CA? This question would be much easier to solve if you shared the actual domain. — kichik, Mar 14 '18 at 00:41
I used ACM to create a certificate for vitalservices-3.docriot.com. I don't think it's a CA issues, as I get the same behavior when I enter the urls in Chrome on my OS X box. — Christopher Simmons, Mar 14 '18 at 01:34
In the browser I get `ERR_CERT_COMMON_NAME_INVALID` because the certificate it serves is for `*.execute-api.us-east-1.amazonaws.com`. Did you try with `A` record aliased to your API as the documentation suggests? — kichik, Mar 14 '18 at 01:39
Which documentation, and wouldn't 82cgbm6s93.execute-api.us-east-1.amazonaws.com need a fixed IP address for an A record to work? — Christopher Simmons, Mar 14 '18 at 01:44
It will be an aliased record, so Route53 will figure out the IP from the source. The documentation is [here](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html). — kichik, Mar 14 '18 at 01:46
@ChristopherSimmons, you are not pointing your DNS record to the correct endpoint, I don't think. If the API is edge-optimized, your target will be a `cloudfront.net` hostname; if it's a regional endpoint, it should have a `d-` prefix and at the beginning of the `execute-api` hostname. Show us the config from the Custom Domain Names screen in the API Gateway console. — Michael - sqlbot, Mar 14 '18 at 02:51
kichik and Michael provided the answer. I changed Route53 to use an aliased A record, and I also changed the endpoint to the one with the "d-" prefix, and the certificate error is gone now. Thanks much. — Christopher Simmons, Mar 14 '18 at 04:29
For anyone still following this, I am not using Route53 for DNS and did not need to create an alias A record. I simply had to use the "d-" prefix endpoint instead of the main (default?) API endpoint that AWS generates. The "d-" prefix endpoint is found in the API Gateway console within your custom domain configuration settings. — etipaced, Mar 21 '21 at 20:45

score 2 · Answer 1 · answered Mar 14 '18 at 00:36

2

The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem, which is a bundle of certificates of public Certificate Authorities from Mozilla.

You can download cacert.pem from CURL's web site:

cacert.pem

More information about cacert.pem

answered Mar 14 '18 at 00:36

John Hanley

74,467
6
95
159

See my edit. My guess is that Chrome isn't missing a certificate authorities file. – Christopher Simmons Mar 14 '18 at 01:06
Remember that your certificate must match the host name of the site that you are accessing. Since you are masking this information I cannot see what url you are using. – John Hanley Mar 14 '18 at 01:10
1

The certificate shown in the screenshot does not match my custom url, but I have no control over that certificate. It and the domain attached to it are owned by AWS. I think that what's happening is 1) I enter my custom URL into the browser. 2) The browser sees the CNAME record and then goes to the AWS url instead. 3) The browser gets the certificate associated with the AWS url. 4) The browser sees that the original URL that I entered doesn't match that certificate. There must be some way around this problem, but associating my own certificate with the custom domain seems to have no effect. – Christopher Simmons Mar 14 '18 at 01:30
And I accidentally did place the real url in my post, so I may as well point it out: https://vitalservices-3.docriot.com – Christopher Simmons Mar 14 '18 at 01:32

score 2 · Answer 2 · answered May 12 '22 at 08:42

You need to ensure two things.

API Gateway is the same as your custom domain name. Regional or edge.
You have right DNS configured for the domain.

Your cert in ACM should show the same allowed domain as your API gateway custom domain.

We had the same problem and the issue was that the DNS record was pointing to the API Gateway endpoint. Not to the Target Domain Name endpoint of the Custom Domain Names. Because of this, the cert was coming for *.execute-.amazonaws.com.

score 0 · Answer 3 · answered Sep 25 '18 at 17:46

0

Certificate you chose from dropdown in Custom Domain of API Gateway does not satisfy dns you're hitting. Only vitalservices-3.docriot.com or *.docriot.com is valid from ACM. Try changing ssl with the one mentioned will resolve this.

answered Sep 25 '18 at 17:46

Uzayr

59
1
2

API Gateway custom domain certificate error

3 Answers3

Linked