AWS API网关 - 使用客户端SSL证书 [英] AWS API Gateway - Use Client-Side SSL Certificates
问题描述
我正在尝试在本地测试API网关证书以提供概念证明而没有运气。
我创建了一个localhost IIS服务器并使用以下帮助页面(由AWS支持团队提供):
-
然后我生成一个新的我们的API网关证书
我保存了这个证书的密钥(复制/粘贴)到.cer文件(我也尝试过.pem和.crt文件)
然后尝试调用相同的
注意:我已经自从了解到这个错误是由邮递员本机应用程序同时需要CRT文件和证书的KEY文件(API网关只给我crt文件)这一事实驱动的。
来自cURL的命令和结果是:
curl --cert'C:.pemPath' https:// localhost:8000
- 找不到接受参数
'C的位置参数:.pemPath'。
我用过的一些参考页面迄今为止的帮助(还有一些没有添加):
- http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started -client-side-ssl-authentication.html
- 如何配置后端服务器以使用由aws gateway api生成的客户端SSL证书?
任何人都有一些想法?
解决方案对IIS进行测试是必要的吗?我最近用nginx完成了类似的练习:
1)在AWS EC2实例上设置Ngnix服务器。 https://www.nginx.com/blog/setting-up-nginx/
2)从LetsEncrypt安装免费的SSL证书。 https://certbot.eff.org/#ubuntuxenial-nginx
ubuntu @ host:〜$ sudo certbot --nginx
3)上传AWS API Gateway生成的证书(API Gateway>客户端证书>复制)。
4)配置Nginx以启用客户端ssl身份验证
ssl_client_certificate
和ssl_verify_client
ubuntu @ host:/ etc / nginx $ cat nginx.conf
用户nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application / octet-stream;
log_format main'$ remote_addr - $ remote_user [$ time_local]$ request'
'$ status $ body_bytes_sent$ http_referer'
'$ http_user_agent$ HTTP_X_FORWARDED_FOR;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
服务器{
听80;
server_name your-domain.com;
听443 ssl; #由Certbot管理
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; #由Certbot管理
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; #由Certbot管理
包括/etc/letsencrypt/options-ssl-nginx.conf; #由Certbot管理
root / usr / share / nginx / html;
ssl_client_certificate /home/ubuntu/client.crt; #此文件应包含客户端证书
ssl_verify_client on;
index index.html;
}
包括/etc/nginx/conf.d/*.conf;
}
这是行为
#没有证书提供者时(直接拨打后端)
< center>< h1> 400 Bad Request< / h1>< / center>
< center>未发送所需的SSL证书< / center>
#来自带有效客户证书的api网关
< h1>欢迎使用nginx!< / h1>
< p>如果您看到此页面,则表明nginx Web服务器已成功安装且
正常运行。需要进一步配置。< / p>
#via api gateway with invalid client certificate
< center>< h1> 400 Bad Request< / h1>< / center>
< center> SSL证书错误< / center>
I am trying to test API Gateway certificates locally to provide a proof of concept with no luck.
I have created a localhost IIS server and configured it up using the following help pages (provided by AWS support team):
- https://medium.com/@hafizmohammedg/configuring-client-certificates-on-iis-95aef4174ddb
- https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
In a nutshell, my IIS is setup to use a test website, that has
- Anonymous access disabled
- SSL settings set to required
- Configuration editor configured to contain iisClientCertificateMappingAuthentication (as per above document)
- The site itself is setup to use a
server certificate
of the built inIIS Express Development Certificate
Attempting to access the site directly give me the expected result of:
I then generate a new certificate from our API Gateway
I save this certificate's key (copy / paste) to a .cer file (I have also tried .pem and .crt files)
I then try calling the same https://localhost:8000 passing the certificate via the following applications:
- Postman
- Fiddler
- cURL
All unsuccessful - the results I get from Postman are:
NOTE: I've since learnt this error is driven by the fact that the postman native app requires both a CRT file and KEY file for certificates (API Gateway only give me the crt file).
Command and result from cURL is:
curl --cert 'C:.pemPath' https://localhost:8000
- A positional parameter cannot be found that accepts argument 'C:.pemPath'.
Some reference pages that I've used for help to date (there are a few more not added):
- http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
- How to configure backend server to use client side SSL certificates generated by aws gateway api?
Anyone got some ideas?
解决方案is testing against IIS a necessity? i've done similar exercise recently with nginx:
1) set up Ngnix server on AWS EC2 Instance. https://www.nginx.com/blog/setting-up-nginx/
2) install free SSL certificates from LetsEncrypt. https://certbot.eff.org/#ubuntuxenial-nginx
ubuntu@host:~$ sudo certbot --nginx
3) upload AWS API Gateway generated Certificate (API Gateway > Client Certificates > Copy).
4) Configure Nginx to enable client ssl Authentication
ssl_client_certificate
andssl_verify_client
ubuntu@host:/etc/nginx$ cat nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; server { listen 80; server_name your-domain.com; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot root /usr/share/nginx/html; ssl_client_certificate /home/ubuntu/client.crt; # this file should contain Client Certificate ssl_verify_client on; index index.html; } include /etc/nginx/conf.d/*.conf; }
and this is the behavior
# when no certificate provider (direct call to backend) <center><h1>400 Bad Request</h1></center> <center>No required SSL certificate was sent</center> # via api gateway with valid client certificate <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> #via api gateway with invalid client certificate <center><h1>400 Bad Request</h1></center> <center>The SSL certificate error</center>
这篇关于AWS API网关 - 使用客户端SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- 找不到接受参数