API Gateway自定义域证书错误 [英] API Gateway custom domain certificate error
问题描述
我正在尝试使用自定义域设置区域API网关,但遇到了涉及SSL证书的问题.这是我所做的:
- 使用ACM,为vitalservices-3.docriot.com创建了一个证书.
- 在API网关中,创建了一个区域自定义域名-vitalservices-3.docriot.com,并为其分配了vitalservices-3.docriot.com证书,并添加了从"/"到"vitalservices"的基本路径映射-3:prod".
- 在docriot.com的Route53托管区域中,创建了一条CNAME记录,将vitalservices-3.docriot.com映射到82cgbm6s93.execute-api.us-east-1.amazonaws.com.该记录具有基于延迟的路由策略,但目前是vitalservices-3.docriot.com的唯一记录.
我跑步时
curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod 我知道
{"message":缺少身份验证令牌"} 这是我期望的,因为API需要Cognito身份验证.当我使用"-k"选项忽略证书错误并运行时,会收到相同的消息
curl https://vitalservices-3.docriot.com -k 但是,如果我放下-k并运行
curl https://vitalservices-3.docriot.com 我知道
curl:(60)SSL证书问题:无效的证书链... 我该如何解决?
我只是在我的OS X盒子上使用curl,因为我认为这是说明错误的更简单方法.当我在Chrome浏览器中访问这些URL时,也会得到类似的行为.如果输入
curl显示的错误不是很具体,并且适用于许多证书问题.就您而言,您可能缺少文件 cacert.pem ,该文件是Mozilla的公共证书颁发机构的证书包.
您可以从CURL的网站下载cacert.pem:
I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:
- Using ACM, created a certificate for vitalservices-3.docriot.com.
- In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".
- In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.
When I run
curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod
I get
{"message":"Missing Authentication Token"}
which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run
curl https://vitalservices-3.docriot.com -k
But if I drop the -k and run
curl https://vitalservices-3.docriot.com
I get
curl: (60) SSL certificate problem: Invalid certificate chain . . .
How can I fix this?
EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.
I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.
The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem, which is a bundle of certificates of public Certificate Authorities from Mozilla.
You can download cacert.pem from CURL's web site:
More information about cacert.pem
这篇关于API Gateway自定义域证书错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
