问题
I'm trying to set up a regional API gateway with a custom domain, and I'm hitting a problem involving SSL certificates. Here's what I've done:
- Using ACM, created a certificate for vitalservices-3.docriot.com.
- In API Gateway, created a regional custom domain name--vitalservices-3.docriot.com--assigned the vitalservices-3.docriot.com certificate to it, and added a base path mapping from "/" to "vitalservices-3:prod".
- In the Route53 hosted zone for docriot.com, created a CNAME record mapping vitalservices-3.docriot.com to 82cgbm6s93.execute-api.us-east-1.amazonaws.com. This record has a latency-based routing policy, but it is, for now, the only record for vitalservices-3.docriot.com.
When I run
curl https://82cgbm6s93.execute-api.us-east-1.amazonaws.com/prod
I get
{"message":"Missing Authentication Token"}
which is what I expect, as the API requires Cognito authentication. I get the same message when I ignore certificate errors using the "-k" option and run
curl https://vitalservices-3.docriot.com -k
But if I drop the -k and run
curl https://vitalservices-3.docriot.com
I get
curl: (60) SSL certificate problem: Invalid certificate chain . . .
How can I fix this?
EDIT: I was just using curl on my OS X box because I assumed it was a simpler way of illustrating the error. I get similar behavior when I access those URLs in my Chrome browser. If enter https://vitalservices-3.docriot.com, I get the red warning triangle in the URL bar and the page saying, "Attackers might be trying to steal your information . . . ". Then, if I choose the option to view the page anyways, the browser displays a page with the text "{"message":"Missing Authentication Token"}", just as when I use "curl -k". Thus I don't think the problem is that my machine doesn't trust a certificate authority.
I've attached a screenshot of what I see when I click "Not Secure" in the url bar and look at the certificate info.
回答1:
The error that curl is displaying is not very specific and applies to a number of certificate issues. In your case, you are probably missing the file cacert.pem, which is a bundle of certificates of public Certificate Authorities from Mozilla.
You can download cacert.pem from CURL's web site:
cacert.pem
More information about cacert.pem
回答2:
Certificate you chose from dropdown in Custom Domain of API Gateway does not satisfy dns you're hitting. Only vitalservices-3.docriot.com or *.docriot.com is valid from ACM. Try changing ssl with the one mentioned will resolve this.
来源:https://stackoverflow.com/questions/49266918/api-gateway-custom-domain-certificate-error