By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway - "self signed certificate in certificate chain"

0

I aim to create a custom domain for private API Gateway endpoints in VPC. To achieve this, I created an AWS Private CA and requested the private certificate for the domain *.test.aws. Then created an AWS Load Balancer with a listener in HTTPS (port 443) with an already-created private certificate. The Target Group points to the IP addresses for "execute-api" endpoints inside the VPC. The next step was to create a private Hosted Zone in Route 53, with a new A record "api.test.aws" that redirects to the ALB domain name. Finally, set up a custom domain name with "api.test.aws" using the certificate for my API Gateway resource.

After all of these steps, whenever call the "https://api.test.aws", I get an error "self signed certificate in certificate chain" The request never reaches the target lambda function. For instance, tested the "https://api.test.aws" which reaches the lambda (updated ALB of port 80)

Any idea what may cause the following error?

Topics
Networking & Content DeliveryServerlessFront-End Web & MobileSecurity, Identity, & Compliance
Tags
Amazon VPCAmazon API GatewayAmazon Route 53AWS Certificate ManagerApplication Load Balancer
Language
English
marcin
asked 6 months ago1488 views
2 Answers
0

Your private CA isn't trusted, that is it doesn't appear in the CA certificate bundle of the client that's trying to hit the endpoint.

Mutual TLS Authentication may help you to achieve what it is that you want here https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

profile picture
EXPERT
Steve_M
answered 6 months ago
  • marcin
    6 months ago

    I wonder if AWS Private Certificate Authority is not a sufficient CA to establish a connection between ALB and API Gateway custom domain (both of them using the same ACM certificate)?

  • Gary Mclean EXPERT
    6 months ago

    ALB's do not care about self signed certs btw. They ignore invalid certs

0

Its behaving exacatly how you set it up. A AWS Private CA is techincally a self signed certificate from where you issue more ceritifcates from. The only to have this work I think is to install the certificate chain from the Private CA.

I believe what you should do is to create a Private API Gateway and use an ACM issued certificate instead which is signed by a trusted root certificate.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

profile picture
EXPERT
Gary Mclean
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content