AWS ACM验证了ALB SSL问题

时间:2018-11-11 20:51:32

标签: amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer

我已通过使用ACM证书将HTTPS用于AWS Application Load Balancer侦听器。

我向ACM请求了一个子域的公共证书: test.example.com ,并在路由53中为其创建了CNAME:

Name: _xxxxxxxxxxx.test.example.com

Type: CNAME

Value: xxxxxx.xxx.acm-validations.aws.

我可以使用ALB的DNS( xxxx.us-east-1.elb.amazonaws.com )在POSTMAN中成功调用API,但是,当我使用python请求或cURL来调用相同的API,它将始终告诉我SSL出现问题。

cURL:

代码:

curl -X POST \
  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi \
  -H 'Content-Type: application/json' \
  -H 'cache-control: no-cache' \
  -d '{
    "paras1": "xxxxx"
}'

错误:

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=test.example.com
*  start date: Nov 11 00:00:00 2018 GMT
*  expire date: Dec 11 12:00:00 2019 GMT
*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'

Python请求:

代码:

import requests

url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

payload = "{\"paras1\": \"xxxxx\"}"
headers = {
    'Content-Type': "application/json",
    'cache-control': "no-cache"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

错误:

HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
Max retries exceeded with url: /prod/testapi 
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))

2 个答案:

答案 0 :(得分:2)

  

我可以使用ALB的DNS(xxxx.us-east-1.elb.amazonaws.com)

这不是设计方式。您需要将test.example.com指向DNS中的ELB,然后:

url = "https://test.example.com/prod/testapi"

答案 1 :(得分:0)

很显然,您调用xxxx.us-east-1.elb.amazonaws.com,该网站已设置了test.example.com的证书。尽管证书可能是有效的,但它与您正在调用的URL不匹配,这意味着该证书对该呼叫无效。 我认为您还必须为API网关设置自定义域 https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

编辑:感谢您的评论。我不确定如何阅读“ elb”作为api网关。我的错。 ELB的DNS仍必须与证书中的DNS相匹配。您可以从您的域到ELB域创建一个CNAME。这应该工作(至少这是我们的工作方式)。

相关问题
最新问题