6

I have a simple HTTP API created using AWS API Gateway that uses a lambda integration to return some data. I have also configured it with a custom DN using route53 (CNAME)

Recently I have been getting the following error when making a call to the endpoint

Error: Hostname/IP does not match certificate's altnames: Host: xxxxxx. is not in the 
cert's altnames:DNS:*.execute-api.eu-west-2.amazonaws.com

Can anyone help with why this is happening? I have setup a certificate for my custom domain using AWS certificate manager as well so its all AWS services, but for some reason its just stopped working?

Thanks Andrew

Edit: I am weirdly getting this issue intermittently, when I make a call to the API in a browser I get the following error:

This server could not prove that it is api.xxxx.co.uk; 
its security certificate is from *.execute-api.eu-west-2.amazonaws.com. 
This may be caused by a misconfiguration or an attacker 
intercepting your connection.

Then it goes away and it works again? HUH? Any ideas?

Andrew Kew
  • 3,098
  • 3
  • 22
  • 24
  • Where is your certificate applied? When you say you setup a certificate, to what specifically did you install/apply that certificate to? – Todd Price Jul 28 '20 at 13:21
  • Hi Todd thanks for your help. So I setup an Amazon Issued SSL certificate to my subdomain i.e. api.xxx.com. Then in AWS Gateway API I added a new custom domain name (regional endpoint type) and set this subdomain api.xxx.com and chose the certificate in the search box given. – Andrew Kew Jul 28 '20 at 13:29
  • And you're using that subdomain when calling the endpoint? – Todd Price Jul 28 '20 at 22:42
  • Hi Todd. Yes correct, when I am making my API call (for example from PostMan) I am making the call using https://api.xxx.com and am getting the error. But the API itself is fine because if I use the original AWS generated domain, the one that is CNAME'd to my domain it works without a problem. – Andrew Kew Jul 29 '20 at 13:25
  • May be you are accessing the url with www where only the `domain.com` is registered in ACM without www? – Pubudu Jayawardana Jul 29 '20 at 13:51
  • Hi Pududu - no, the subdomain that I am using is api.xxx.com and that is what I am using to access the API endpoint, and this is the same subdomain that is registered to my SSL certificate as well as the same subdomain that is configured in my AWS API Gateway APU as a custom domain. – Andrew Kew Jul 29 '20 at 13:57
  • BTW My certificate is registered with ACM as api.xxx.com not xxx.com – Andrew Kew Jul 29 '20 at 13:58

1 Answers1

9

OK I have found what the problem is thanks to the following post

If you look at the comments under the original post right at the bottom the author has resolved the problem but it has not been put as an answer to the post so you needed to read through everything to find out.

What the problem is, is you need to ensure you have your DNS setup correctly in route53. I was originally creating a CNAME from my custom DN to the invoke URL of the API.

Instead what you need to do is create an ALIAS A record from your custom DN to the DN of your regional API (prefix with d-*)

NOTE: This is different to your invoke URL

Making this change all my problems went away.

For anyone doing this in Terraform this is what you need

//HTTP API using quick create (regional)
resource "aws_apigatewayv2_api" "qc_technical_test" {
  name          = "qc_technical_test"
  protocol_type = "HTTP"
  target        = aws_lambda_function.tt_lambda.arn
  route_key = "GET /persons/address"
}

//custom domain name for API (regional)
resource "aws_apigatewayv2_domain_name" "qc_tt_custom_domain" {
  domain_name = "api.${aws_route53_zone.quadcorps.name}"

  domain_name_configuration {
    certificate_arn = aws_acm_certificate.tt_acm.arn
    endpoint_type   = "REGIONAL"
    security_policy = "TLS_1_2"
  }
}

//route53 alias a record to api
resource "aws_route53_record" "tt_api" {
  zone_id = aws_route53_zone.quadcorps.zone_id
  name = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name
  type = "A"

  alias {
    name = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name_configuration.0.target_domain_name
    zone_id = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name_configuration.0.hosted_zone_id
    evaluate_target_health = false
  }
}

Hope this saves someone a whole lot of time in the future.

Andrew Kew
  • 3,098
  • 3
  • 22
  • 24
  • 4
    Thank you. I can't say it saved me a lot of time but it saved me from jumping off a bridge. – Pikaro Apr 23 '21 at 21:15
  • For anyone else researching this issue — all I needed to do in my case was to use the 'd-' prefixed API Gateway URL. I used a CNAME record for this, I didn't need to use an A record. – Rich Jan 10 '22 at 21:38