I've got an AWS API GW that I'm trying to hook up to HTTPS REST endpoints in a different VPC. According to AWS support and the docs I've ready the solution is to use a VPC link pointing to an NLB in the GWs VPC with IP targets in the other VPC. My NLB is HTTPS since the backend services are HTTPS. For the NLB SSL certificate I used ACM to generate a private certificate (based on an ACM private CA). When I test the GW, I get the dreaded General SSLEngine problem error. The NLB is working fine, I can hit it from my browser and get data back from the back-end services. Does the VPC link not trust private certificates? I don't see any way to add CAs. This whole arrangement seems very convoluted to me. Any suggestions?
Can I use VPC Link to NLB with ACM private certificate?
1.4k views Asked by Malcolm McRoberts At
1
There are 1 answers
Related Questions in AWS-API-GATEWAY
- Lambda endpoint for the Google OAuth callback does not recieve the access_token
- AWS WebSocket API return forbidden (403) error when sending message
- AWS Lambda successfully called with 'Function URL', but not with 'API Gateway'
- How to establish connection pooling for HTTP Requests Lambda function attached to AWS API gateway?
- Allow AWS API Gateway to return YAML format, when a specific JSON property equals YAML
- AWS ApiGateway StartSyncExcecution CORS configuration via SAM or CLI
- How to reference existing lambda in sam template
- AWS ApiGateway Documentation support to Open Api 3.1
- Using AWS API HTTP Gateway with HTTP Backend without 301 redirection
- How to get geolocalisation , request from AWS API Gateway?
- Issue with API Gateway-Lambda Integration: Consistent 504 Timeout Despite Quick Lambda Execution
- Exporting openAPI specification with terraform + apigateway + AWS?
- Cloudwatch Alarm 4xx Errors API Gateway Terraform
- AWS API Gateway custom domain path configuration
- How to LIMIT cost to 100 API calls max in a day even if someone has my API endpoint details
Related Questions in AMAZON-VPC
- Migrate AWS ECS cluster IPV4 to IPV6
- curl does not work in EC2 instance due to some limitation?
- How to Use AWS Systems Manager (SSM) for Accessing a RabbitMQ Broker in an AWS VPC Private Subnet
- Fixing this CIDR range for AWS VPC
- Lambda function times out calling a Step Function (or any other AWS service)
- Circular dependency in configuring access policy of execute-api vpc endpoint to allow only specific API Gateway
- Yaml file for CloudFormation - select which subnet ids to put lambdas in
- How do two private subnets in the same AWS VPC contact each other although they are in different AZ?
- Lambda Function cannot connect to S3 "Request send failed"
- EC2 cannot access S3 in the same account with proper IAM role
- Cannot connect to AWS Sagemaker from a lambda deployed in a VPC
- How to connect two VPCs which have the same CIDR Blocks in the same account but two different regions?
- Reference to Security Group from another VPC
- AWS AppRunner creation fails if it connects to RDS in VPC on initial boot
- AWS Security Groups Types
Related Questions in NLB
- AWS route traffic destined to NLB to firewall instance in same subnet
- gRPC streaming through AWS NLB
- How to assign a ALB as a target to a NLB Target Group? Using CDK
- How to use ALB as a target group for NLB to enable SSH cloning in bitbucket?
- API Gateway paths always going to my base path in my Express Server
- Pritunl VPN not resolving LB DNS
- AWS NLB fronting Vault cluster: net/http: TLS handshake timeout
- Shibboleth SP in cluster environment
- AWS Network Load Balancers - SSL/TLS termination & E2E Encryption
- Which ports for unreal pixelstreaming
- How to correctly load balance requests from a Java client to an NLB over multiple AZs
- TCP Based Service behind Network Load Balancer : How to pull Client IP?
- Internal NLB gives connection refused
- Got a 400 error when redirecting a WS connection to another backend
- Expose a UI with a Network Load Balancer
Related Questions in AWS-CERTIFICATE-MANAGER
- requesting AWS Certificate Manager cert for root domain works, but not www subdomain
- AWS Load balancer SSL certificate
- CNAME for AWS Load Balancer and Certificate
- AWS Certificate Manager - DNS validation on Hostinger failed
- Difference Between Public and Private Certificates
- ACM certificate pending validation
- Secure Connection Failed SEC_ERROR_REVOKED_CERTIFICATE when Certificate shows as active in AWS
- Why SSL certificate(issued through AWS Certificate Manager) fails to apply on Apache2 server running on EC2 Linux instance?
- AWS Api Gateway custom domain name certificate blocked in pending state (Terraform)
- MTLS AWS with 4096 RSA imported key
- SSL Certificate: NET::ERR_CERT_AUTHORITY_INVALID
- AWS ACM and Route53 - 2 hosted zones with same name, how to handle cert validation
- AWS Cloudformation export not named error, using importValue on nested stacks
- AWS API Gateway Custom domain is trying to resolve the wrong certificate
- Elastic Beanstalk - Listeners can't talk to InstancePort 80 with secure and insecure protocols at the same time
Related Questions in SSLENGINE
- javax.ssl: DTLS client received server hello done, but when server finished message comes, says it was not received
- SSLEngine: Why retry the original operation in case of delegated tasks?
- Can I use VPC Link to NLB with ACM imported private certificate?
- Having trouble getting Oracle SSLEngineSimpleDemo.java working
- javax.net.ssl.SSLException: SSLEngine closed already SSLEngine closed already in webclient (Springboot)
- Why client sending Close Notify after successful handshaking?
- Using SSLEngine to use a certificate signed for an internal network location
- ConscryptEngine data read issue : Unable to parse TLS packet header
- Getting SSL PROTOCOL EXCEPTION in android using sslEngine
- How to use Conscrypt library for ssl socketchannel in android?
- General SSLEngine problem with Artemis cluster
- Why SSLSocket support TLSv1.2 from API level 16+ but SSLEngine from API level 20+?
- how to create SSLEngine for connecting to any https website specifically google cloud run?
- How to enable cipher TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 in SSLEngine
- Can I use VPC Link to NLB with ACM private certificate?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
I have encountered the same problem and after many tests found the root of the problem in the documentation of the API-Gateway. Basically, API-Gateway will not work with any certificates derived from the ACM's Private CAs. This is a list of all valid CAs to use with the API-Gateway:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-supported-certificate-authorities-for-http-endpoints.html