AWS API网关 - 使用客户端SSL证书 [英] AWS API Gateway - Use Client-Side SSL Certificates

问题描述

我正在尝试在本地测试API网关证书以提供概念证明而没有运气。

我创建了一个localhost IIS服务器并使用以下帮助页面（由AWS支持团队提供）：

• 
  
  

  然后我生成一个新的我们的API网关证书

  
  
  
  
  
  

  我保存了这个证书的密钥（复制/粘贴）到.cer文件（我也尝试过.pem和.crt文件）

  
  
  

  然后尝试调用相同的

  
  
  

  注意：我已经自从了解到这个错误是由邮递员本机应用程序同时需要CRT文件和证书的KEY文件（API网关只给我crt文件）这一事实驱动的。

  
  
  

  来自cURL的命令和结果是：

  
  
  

  curl --cert'C：.pemPath' https：// localhost：8000

  
  
  
  
  
  • 找不到接受参数
    'C的位置参数：.pemPath'。
  
  
  
  
  

  我用过的一些参考页面迄今为止的帮助（还有一些没有添加）：

  
  
  
  
  
  • http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started -client-side-ssl-authentication.html
  
  
  • 如何配置后端服务器以使用由aws gateway api生成的客户端SSL证书？
  
  
  
  
  

  任何人都有一些想法？

  解决方案

  对IIS进行测试是必要的吗？我最近用nginx完成了类似的练习：

  
  
  

  1）在AWS EC2实例上设置Ngnix服务器。 https://www.nginx.com/blog/setting-up-nginx/

  
  
  

  2）从LetsEncrypt安装免费的SSL证书。 https://certbot.eff.org/#ubuntuxenial-nginx
  ubuntu @ host：〜$ sudo certbot --nginx

  
  
  

  3）上传AWS API Gateway生成的证书（API Gateway>客户端证书>复制）。

  
  
  

  4）配置Nginx以启用客户端ssl身份验证 ssl_client_certificate 和 ssl_verify_client

    ubuntu @ host：/ etc / nginx $ cat nginx.conf 
   
  用户nginx; 
   worker_processes 1; 
   
   error_log /var/log/nginx/error.log warn; 
   pid /var/run/nginx.pid; 
   
   
   events {
   worker_connections 1024; 
  } 
   
   http {
   include /etc/nginx/mime.types; 
   default_type application / octet-stream; 
   
   log_format main'$ remote_addr  -  $ remote_user [$ time_local]$ request'
  '$ status $ body_bytes_sent$ http_referer'
  '$ http_user_agent$ HTTP_X_FORWARDED_FOR; 
   
   access_log /var/log/nginx/access.log main; 
   
   sendfile on; 
   #tcp_nopush on; 
   
   keepalive_timeout 65; 
   
   #gzip on; 
   
  服务器{
  听80; 
   server_name your-domain.com; 
   
  听443 ssl; ＃由Certbot管理
   ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; ＃由Certbot管理
   ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; ＃由Certbot管理
  包括/etc/letsencrypt/options-ssl-nginx.conf; ＃由Certbot管理
   root / usr / share / nginx / html; 
   ssl_client_certificate /home/ubuntu/client.crt; ＃此文件应包含客户端证书
   ssl_verify_client on; 
   index index.html; 
  } 
   
  包括/etc/nginx/conf.d/*.conf; 
  } 
    

  这是行为

   ＃没有证书提供者时（直接拨打后端）
  < center>< h1> 400 Bad Request< / h1>< / center> 
  < center>未发送所需的SSL证书< / center> 
   
  ＃来自带有效客户证书的api网关
  < h1>欢迎使用nginx！< / h1> 
  < p>如果您看到此页面，则表明nginx Web服务器已成功安装且
  正常运行。需要进一步配置。< / p> 
   
   #via api gateway with invalid client certificate 
  < center>< h1> 400 Bad Request< / h1>< / center> 
  < center> SSL证书错误< / center> 
    

  
  

  I am trying to test API Gateway certificates locally to provide a proof of concept with no luck.

  I have created a localhost IIS server and configured it up using the following help pages (provided by AWS support team):

  • https://medium.com/@hafizmohammedg/configuring-client-certificates-on-iis-95aef4174ddb
  • https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/

  In a nutshell, my IIS is setup to use a test website, that has

  • Anonymous access disabled
  • SSL settings set to required
  • Configuration editor configured to contain iisClientCertificateMappingAuthentication (as per above document)
  • The site itself is setup to use a server certificate of the built in IIS Express Development Certificate

  Attempting to access the site directly give me the expected result of:

  I then generate a new certificate from our API Gateway

  I save this certificate's key (copy / paste) to a .cer file (I have also tried .pem and .crt files)

  I then try calling the same https://localhost:8000 passing the certificate via the following applications:

  • Postman
  • Fiddler
  • cURL

  All unsuccessful - the results I get from Postman are:

  NOTE: I've since learnt this error is driven by the fact that the postman native app requires both a CRT file and KEY file for certificates (API Gateway only give me the crt file).

  Command and result from cURL is:

  curl --cert 'C:.pemPath' https://localhost:8000

  • A positional parameter cannot be found that accepts argument 'C:.pemPath'.

  Some reference pages that I've used for help to date (there are a few more not added):

  • http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
  • How to configure backend server to use client side SSL certificates generated by aws gateway api?

  Anyone got some ideas?

  解决方案

  is testing against IIS a necessity? i've done similar exercise recently with nginx:

  1) set up Ngnix server on AWS EC2 Instance. https://www.nginx.com/blog/setting-up-nginx/

  2) install free SSL certificates from LetsEncrypt. https://certbot.eff.org/#ubuntuxenial-nginx ubuntu@host:~$ sudo certbot --nginx

  3) upload AWS API Gateway generated Certificate (API Gateway > Client Certificates > Copy).

  4) Configure Nginx to enable client ssl Authentication ssl_client_certificate and ssl_verify_client

  ubuntu@host:/etc/nginx$ cat nginx.conf
  
  user  nginx;
  worker_processes  1;
  
  error_log  /var/log/nginx/error.log warn;
  pid        /var/run/nginx.pid;
  
  
  events {
      worker_connections  1024;
  }
  
  http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
  
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
  
      access_log  /var/log/nginx/access.log  main;
  
      sendfile        on;
      #tcp_nopush     on;
  
      keepalive_timeout  65;
  
      #gzip  on;
  
      server {
          listen 80;
          server_name your-domain.com;
  
          listen 443 ssl; # managed by Certbot
          ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot
          ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot
          include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
          root /usr/share/nginx/html;
          ssl_client_certificate /home/ubuntu/client.crt; # this file should contain Client Certificate
          ssl_verify_client on;
          index index.html;
      }
  
      include /etc/nginx/conf.d/*.conf;
  }
  

  and this is the behavior

  # when no certificate provider (direct call to backend)
  <center><h1>400 Bad Request</h1></center>
  <center>No required SSL certificate was sent</center>
  
  # via api gateway with valid client certificate
  <h1>Welcome to nginx!</h1>
  <p>If you see this page, the nginx web server is successfully installed and
  working. Further configuration is required.</p>
  
  #via api gateway with invalid client certificate
  <center><h1>400 Bad Request</h1></center>
  <center>The SSL certificate error</center>
  

  这篇关于AWS API网关 - 使用客户端SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！