3

I have an API site in AWS API Gateway. The SSL certificate is managed by ACM, and it has a wildcard that matches any subdomain (eg: *.mydomain.net). I could access my API until I renamed the subdomain. Now, hitting my API in Chrome yields ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

Here's what happens in OpenSSL:

    BASH:portal-api$ openssl s_client -connect $DOMAIN:443 -servername $DOMAIN
    CONNECTED(00000006)
    140735636259784:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake         failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_clnt.c:541:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 363 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    ---

And the certificate uses the following:

Public key info:        RSA 2048-bit
Signature algorithm:    SHA256WITHRSA

Just a normal, ACM certificate. Ideas?

user3720176
  • 31
  • 2
  • What do you mean, *"renamed my subdomain?"* – Michael - sqlbot May 15 '18 at 22:49
  • I changed the custom domain name and associated Route53 record from, for example, abc.mydomain.com to xyz.mydomain.com. – user3720176 May 15 '18 at 22:52
  • There aren't any extra dots in the name, are there? Like the first one in `foo.bar.example.com`, right? That won't match `*.example.com`. – Michael - sqlbot May 15 '18 at 23:14
  • Correct. Route53 won't let you add a dot in the subdomain token, so you have to use dashes as delimiters. `dev-api.mydomain.com` is legit, and it matches the wildcard cert. – user3720176 May 16 '18 at 00:13
  • I am assuming you are using a custom domain name for an edge-optimized API. In Route53 record-set for "dev-api.mydomain.com", do you map it with the generated CloudFront distribution (this is generated when you create the custom domain name in API Gateway) via a CNAME/Alias ? – Denis Weerasiri May 16 '18 at 11:59
  • It is an edge-optimized API. The record set maps an ALIAS to the generated CloudFront distribution. – user3720176 May 16 '18 at 15:58
  • out of curiosity were you attempting this on a work computer? I have the same issue on my work computer, but not others. I am a bit curious if it has to do with the endpoint "security" on my work laptop... – Digital Impermanence Dec 29 '18 at 19:03

0 Answers0