How do I investigate issues related to the CA bundle for mTLS listeners on the Application Load Balancer?
I want to resolve issues related to the Certificate Authority (CA) bundle for mutual TLS (mTLS) in the Application Load Balancer.
Short description
Mutual TLS (mTLS) authentication is a variation of Transport Layer Security (TLS). The Application Load Balancer uses TLS to negotiate mutual authentication between itself and the client.
The Application Load Balancer provides two options for mTLS:
- Mutual TLS passthrough: The Application Load Balancer uses HTTP headers to send the whole client certificate chain to the target. Use the client certificate chain to implement the corresponding authentication and authorization logic in your application.
- Mutual TLS verify: The Application Load Balancer performs an X.509 client certificate authentication for clients when it negotiates TLS connections.
Note: An error occurs if any certificate within the CA bundle in the Amazon Elastic Compute Cloud (Amazon EC2) trust store doesn't meet the requirements.
Resolution
Prerequisites
Be sure to check the following:
Quotas
Make sure that you are within the quota limits for the following:
- Trust stores
- CA certificates
- Certificate Revocation Lists
Certificates
The Application Load Balancer has requirements for certificates that are used for mutual TLS authentication. For more information on these requirements, see Before you begin configuring mutual TLS on your Application Load Balancer.
Verify that the certificates within the CA bundle meet the conditions listed in the prerequisites
-
To review every certificate present within the bundle, run the following command:
gawk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < CertificateBundle.pem
Note: This command reads the CA .pem file, and then creates a file for every certificate within the file. For example, a CA .pem file that contains two certificates is broken out into two files: cert.1.pem and cert.2.pem
-
To check the certificate for the required values, run the following command:
Note: The name for this example is the first certificate located in the CA .pem file (cert.1.pem)openssl x509 -in cert.1.pem -text | grep "Subject:" | sed 's/.*CN = /Subject: /' && \ openssl x509 -in cert.1.pem -text | grep -A 3 "Version:" && \ openssl x509 -in cert.1.pem -text | grep -A 2 "Validity" && \ openssl x509 -in cert.1.pem -text | grep -B 1 "RSA Public-Key:" && \ openssl x509 -in cert.1.pem -text | grep -A 1 "Basic Constraints" && \ openssl x509 -in cert.1.pem -text | grep -A 1 "X509v3 Extended Key Usage:"
You receive the following output:
The subject name of the certificate
The version of the certificate
The serial number of the certificate
The validity period of the certificate
The public key encryption type and size
Whether or not the certificate is set to CA
The extended key usage types
Troubleshooting tip
If any certificates that are present in the CA bundle fail to meet the defined requirements, you receive an error. For example:
Error: "The basic constraints extension must specify that the certificate is for CA"
Example of a certificate that doesn't meet the requirements:
Subject: client.alb-mtls-example.com Version: 3 (0x2) Serial Number: 0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f Signature Algorithm: sha256WithRSAEncryption Validity Not Before: Apr 5 00:00:00 2024 GMT Not After : Apr 4 23:59:59 2025 GMT Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
This example uses a version 3 certificate that has the supported signature, public key algorithm, size, validity dates, and the proper extended usage. However, the certificate is marked as CA: FALSE under Basic Constraints. This constraint means that it's a leaf certificate and not a CA certificate.
To use the CA bundle for the EC2 trust store, remove the non-compliant certificate from the bundle. Then, upload the bundle to the S3 bucket again.
Note: You might have more than one certificate that doesn't meet the requirements. Remove each of the non-compliant certificate from the bundle before you upload the CA bundle again.
Related information
How do I use Amazon Athena to query my Application Load Balancer connection logs?
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 3 anni fa