问题
I am trying to test API Gateway certificates locally to provide a proof of concept with no luck.
I have created a localhost IIS server and configured it up using the following help pages (provided by AWS support team):
- https://medium.com/@hafizmohammedg/configuring-client-certificates-on-iis-95aef4174ddb
- https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
In a nutshell, my IIS is setup to use a test website, that has
- Anonymous access disabled
- SSL settings set to required
- Configuration editor configured to contain iisClientCertificateMappingAuthentication (as per above document)
- The site itself is setup to use a
server certificateof the built inIIS Express Development Certificate
Attempting to access the site directly give me the expected result of:
I then generate a new certificate from our API Gateway
I save this certificate's key (copy / paste) to a .cer file (I have also tried .pem and .crt files)
I then try calling the same https://localhost:8000 passing the certificate via the following applications:
- Postman
- Fiddler
- cURL
All unsuccessful - the results I get from Postman are:
NOTE: I've since learnt this error is driven by the fact that the postman native app requires both a CRT file and KEY file for certificates (API Gateway only give me the crt file).
Command and result from cURL is:
curl --cert 'C:.pemPath' https://localhost:8000
- A positional parameter cannot be found that accepts argument 'C:.pemPath'.
Some reference pages that I've used for help to date (there are a few more not added):
- http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
- How to configure backend server to use client side SSL certificates generated by aws gateway api?
Anyone got some ideas?
回答1:
is testing against IIS a necessity? i've done similar exercise recently with nginx:
1) set up Ngnix server on AWS EC2 Instance. https://www.nginx.com/blog/setting-up-nginx/
2) install free SSL certificates from LetsEncrypt. https://certbot.eff.org/#ubuntuxenial-nginx
ubuntu@host:~$ sudo certbot --nginx
3) upload AWS API Gateway generated Certificate (API Gateway > Client Certificates > Copy).
4) Configure Nginx to enable client ssl Authentication ssl_client_certificate and ssl_verify_client
ubuntu@host:/etc/nginx$ cat nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name your-domain.com;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
root /usr/share/nginx/html;
ssl_client_certificate /home/ubuntu/client.crt; # this file should contain Client Certificate
ssl_verify_client on;
index index.html;
}
include /etc/nginx/conf.d/*.conf;
}
and this is the behavior
# when no certificate provider (direct call to backend)
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
# via api gateway with valid client certificate
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
#via api gateway with invalid client certificate
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
来源:https://stackoverflow.com/questions/46086274/aws-api-gateway-use-client-side-ssl-certificates