Question:
I have a simple HTTP API created using AWS API Gateway that uses a lambda integration to return some data.
I have also configured it with a custom DN using route53 (CNAME)
Recently I have been getting the following error when making a call to the endpoint
|
1 2 3 |
Error: Hostname/IP does not match certificate's altnames: Host: xxxxxx. is not in the cert's altnames:DNS:*.execute-api.eu-west-2.amazonaws.com |
Can anyone help with why this is happening? I have setup a certificate for my custom domain using AWS certificate manager as well so its all AWS services, but for some reason its just stopped working?
Thanks
Andrew
Edit: I am weirdly getting this issue intermittently, when I make a call to the API in a browser I get the following error:
|
1 2 3 4 5 |
This server could not prove that it is api.xxxx.co.uk; its security certificate is from *.execute-api.eu-west-2.amazonaws.com. This may be caused by a misconfiguration or an attacker intercepting your connection. |
Then it goes away and it works again? HUH? Any ideas?
Answer:
OK I have found what the problem is thanks to the following post
If you look at the comments under the original post right at the bottom the author has resolved the problem but it has not been put as an answer to the post so you needed to read through everything to find out.
What the problem is, is you need to ensure you have your DNS setup correctly in route53.
I was originally creating a CNAME from my custom DN to the invoke URL of the API.
Instead what you need to do is create an ALIAS A record from your custom DN to the DN of your regional API (prefix with d-*)
NOTE: This is different to your invoke URL
Making this change all my problems went away.
For anyone doing this in Terraform this is what you need
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
//HTTP API using quick create (regional) resource "aws_apigatewayv2_api" "qc_technical_test" { name = "qc_technical_test" protocol_type = "HTTP" target = aws_lambda_function.tt_lambda.arn route_key = "GET /persons/address" } //custom domain name for API (regional) resource "aws_apigatewayv2_domain_name" "qc_tt_custom_domain" { domain_name = "api.${aws_route53_zone.quadcorps.name}" domain_name_configuration { certificate_arn = aws_acm_certificate.tt_acm.arn endpoint_type = "REGIONAL" security_policy = "TLS_1_2" } } //route53 alias a record to api resource "aws_route53_record" "tt_api" { zone_id = aws_route53_zone.quadcorps.zone_id name = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name type = "A" alias { name = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name_configuration.0.target_domain_name zone_id = aws_apigatewayv2_domain_name.qc_tt_custom_domain.domain_name_configuration.0.hosted_zone_id evaluate_target_health = false } } |
Hope this saves someone a whole lot of time in the future.