Skip to main content

APIGateway SSL intermediate cert issue,while connecting to web server:-


Hi Folks, 


🙏 Namaste and Welcome to my blog 🙏

Hope this finds you safe and healthy! 


Today I will explain about if you are getting issue to connect your newly create AWS API gateway to your running web server (My web server is tomcat8 running on ec2). First you need to check what is error for you in my case i am getting some missing intermediate ssl cert issue. 

So for that you may ask to provide a complete ssl cert chain from your web server admin who have previously configure ssl cert for your web server , or if you are owner of that server yourself then no worry i will tell you how we can download intermediate cert from website and how can we configure it'.

Stay here 😉


1) Download intermediate Cert

2) Move the downloaded cert to web server

3) Configure that new intermediate cert in your web server

4) Restart tomcat

5) Verify Intermediate Cert Installed properly or not with Online SSL checker 

6) Now go to API Gateway and try to run API gateway now 


1) Download intermediate Cert

I will show you how i will download intermediate cert of google.com (please use your web site domain name instead of google 👮, it is just an example)

  • Go to URL and click on lock icon as shown below and next click on certificate 

  • Then go to certificate path and then click on the middle one certificate( in your case the name will be different , like comodo , lets encrypt etc so please click only on the middle one which is intermediate cert for your website)

  • Next you have to click on view certificate at the bottom right which will bring you in the next box as shown below here go to Details and then below that click on copy to file 

  • In next page you will be on welcome wizard then just click on next 


  • On the next you will get two option of format in which you want to export that cert. I am choosing second one of Base64    

  • Then click on next and save your file in somewhere you local system. Name the file .crt and select extension type all. Click on finish and it will save the file as 


  • Go to downloaded location and see the name of file which looks like below here you can see it have also .cer extension which you can rename file move this to linux machine.

  • As shown below file name is abc.crt.cer now i will rename it to crt extension only.





2) Move the downloaded cert to web server

  • Now you have intermediate cert abc.crt with you just move this to required location as i have done below

            scp -i hello.pem abc.crt ec2-user@171.37.2.12:/tmp

  • Move that file to certs directory

            mv /tmp/abc.crt /etc/pki/tls/certs/


3) Configure that new intermediate cert in your web server
  • Change configuration file ssl.conf (for my case i have done proxy pass through ssl so my configuratyion is in ssl in your case it may be in apache or ngnix or somewhere other)

            SSLCertificateChainFile /etc/pki/tls/certs/abc.crt


4) Restart tomcat

            service httpd restart

  • We have multiple online site where you can check if you intermediate cert installed in your server I will give you example of some website where you can check easily


5) Verify Intermediate Cert Installed properly or not with Online SSL checker 


  • Above screenshot is showing name of ssl checker online popular site, also I am using google to check how can we see for intermediate cert from this site 




  • In above screen shot you can see cert chain is not breaking so basically intermediate cert is also known as chain cert. so chain is not breaking for google.com it means they have intermediate cert for their website (of course there will have i was only showing you how to see perfect intermediate cert that's why i used google )
  • In next screen shot i will show you one of my dummy webserver where i have not installed intermediate cert and which will show you error or chain break 



Then at last finally go to your AWS API gateway console and copy your invoke URL and paste to address bar and hit it (make sure you have installed chain cert on the same web server which is configured with this API Gateway, or you can cross check once to configure if everything looks good)



6) Now go to API Gateway and try to run API gateway now



  • In above screenshot you can see success response from my web servers api, for you if you will also get some response from web server then you are champion now and you have configured it ....🙌


Note:- For how to create and configure API Gateway in AWS, please go to my other blog where i have explained in detailed.

https://vdkthakur.blogspot.com/2020/08/hi-folks-namaste-welcome-to-my-blog.html

Cheers👍

Vik 
Sr. Cloud-DevOps Engineer



Comments

Post a Comment

Popular posts from this blog

MySQL DB access for user with roles base accesses   Hi Folks, 🙏   Namaste and Welcome to my blog   🙏 Hope this finds you safe and healthy!   Today I am going to explain about if you are wanting to secure your Database server with proper user access-based policy. We can use MySQL role based policy,  A MySQL role is a named collection of privileges. I will show you how to do that by creating roles and users, then associating those users with newly created roles. Now each user will have different roles and access by that way a user like in read-only roles will not be able to delete anything as he is read only. In each role you can give access based on your project requirement. I will create all role and users form MySQL root user. Before that we need to understand privileges, type provided by MySQL Admin Privileges  – It allow user to managed MySQL server. They are Global level access can be hold by lower level u...
Post a Comment
Read more
Kubernetes common issues with scenarios and solutions 📘 Scenario #1: Zombie Pods Causing NodeDrain to Hang Category: Cluster Management Environment: K8s v1.23, On-prem bare metal, Systemd cgroups  Scenario Summary: Node drain stuck indefinitely due to unresponsive terminating pod. What Happened: A pod with a custom finalizer never completed termination, blocking kubectl drain. Even after the pod was marked for deletion, the API server kept waiting because the finalizer wasn’t removed. Diagnosis Steps:  • Checked kubectl get pods --all-namespaces -o wide to find lingering pods.  • Found pod stuck in Terminating state for over 20 minutes.  • Used kubectl describe pod to identify the presence of a custom finalizer.  • Investigated controller logs managing the finalizer – the controller had crashed. Root Cause: Finalizer logic was never executed because its controller was down, leaving the pod undeletable. Fix/Workaround: kubectl patch pod -p '{"metadata":{"fina...
Post a Comment
Read more
  How to Configure AWS service API Gateway Hi Folks,  🙏  Namaste  and Welcome to my blog  🙏 Hope this finds you safe and healthy!  Today I will explain " How to Configure AWS service API Gateway " . Below are the steps which I will take during this session.  1) Briefing about API Gateway  2) Costing  3) Create API Gateway  4) Configuration  5) Code location on web server  1) Briefing about API Gateway Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an API Gateway API developer, you can create APIs for use in your own client applications. Or you can make your APIs available to third-party app developers. 2)  Costing A) Free Tier The Amazon API Gateway free tier includes one million API calls received for R...
Post a Comment
Read more