I've got an AWS API GW that I'm trying to hook up to HTTPS REST endpoints in a different VPC. According to AWS support and the docs I've ready the solution is to use a VPC link pointing to an NLB in the GWs VPC with IP targets in the other VPC. My NLB is HTTPS since the backend services are HTTPS. For the NLB SSL certificate I used ACM to generate a private certificate (based on an ACM private CA). When I test the GW, I get the dreaded General SSLEngine problem error. The NLB is working fine, I can hit it from my browser and get data back from the back-end services. Does the VPC link not trust private certificates? I don't see any way to add CAs. This whole arrangement seems very convoluted to me. Any suggestions?
I have encountered the same problem and after many tests found the root of the problem in the documentation of the API-Gateway. Basically, API-Gateway will not work with any certificates derived from the ACM's Private CAs. This is a list of all valid CAs to use with the API-Gateway:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-supported-certificate-authorities-for-http-endpoints.html
Related
I've successfully got the api-gw taking to NLB (via VPC Link) then on to ALB then onto my ECS cluster running my apis.
To enable SSL between api-gw and ALB using private certs I've used the insecureSkipVerification tlsconfig. The private certs were created by ACM-PCA in this test.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-extensions-integration-tls-config.html
However, what I want to do is import a private certificate, rather than use an AWS private CA created one. When I do create my own certificate and import it into ACM and attached it to the load balancer, I get an SSL error:
Execution failed due to....PKIX path building failed:...certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
This is the same error when you use a private cert without enabling: insecureSkipVerification.
Is using self managed private CA certs not an option at all with the api-gw?
I had the same issue; in my case the issue was when I imported the custom certificate into ACM I didn't specify Certificate Chain. I was able to use the SSL certificate for the ALB but when integration to API Gateway I was getting the error. After I specified Certificate Chain I was able to use my custom SSL certificate (imported) with API Gateway without issues.
Specify a value for Certificate Chain
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
I am building an app (API) that will be running on the Google Kubernetes engine. I will add a NGINX Proxy (Cloud Endpoints) with SSL such that all external API requests will go through the Cloud Endpoints instance.
Question is, since I already have SSL enabled on the external open interface, do i need to add SSL cvertificates to the Kubernetes engine as well?
In Google Kubernetes Engine, you can use Ingresses to create HTTPS load balancers with automatically configured SSL certificates. Google-managed SSL certificates are provisioned, renewed, and managed for your domain names. Read more about Google-managed SSL certificates here.
No, “You have the option to use Google-managed SSL certificates (Beta) or to use certificates that you manage yourself.”
You added a NGINX Proxy (Cloud Endpoints) with SSL, then you do not need to add SSL certificates to the Kubernetes engine as well.
Is it possible to give a application load balancer on AWS a SSL certificate, allowing allowing only HTTPS connections, if I don't want to use a custom domain?
Currently developing some internal dashboard applications, so have no need/want for a domain name attached to them.
I can only dig up info and tutorials of creating to a certificate in Cloudformation, when wanting to add a domain forwarding to the LB.
The SSL certificate has to have a valid DNS name associated with it in order to work. You need to request a certificate via ACM and then attach that to the ELB. You can configure the ELB to only have an HTTPS listener to force secure communication.
Probably not.
It's not generally kosher to issue an SSL certificate to an IP address, and since all *.compute.amazonaws.com style DNS names are floating and could be reassigned at any moment, they damn well won't issue one for them either. (Same stands for Let's Encrypt, by the way: you have to have a DNS name not issued by a provider.)
Just give your internal service a DNS name, be it something like mydashboard.internal.mycompany.com or whatever; it'll be easier to access, too.
We're rolling out some simple static web sites onto the Swisscom CloudFoundry cloud, and want to enable SSL for the sites.
Our product manager is not happy with the scapp.io or applicationweb.io names, and we want to be able to add SSL certificates for our domain, e.g "www.swisscom.io".
How do achieve this, given the fact that we're users and not administrators and don't have access to the "Operations Manager" tool? This question is specifically about the Certificate: The setting up of the domain and DNS is clear.
SSL certificates from Let’s Encrypt are now available on the Swisscom Application Cloud: SSL Secure Routes
The cloud guys can probably help you out more here, but one option would be to use: https://www.cloudflare.com/
I was able to use the cloudflare SSL certificate to secure the traffic to and from my application without having to upload a certificate or use the "Operations Manager" tool.
Cheers,
Allan.
I'm currently using an existing VM on https://www.digitalocean.com to serve as a reverse proxy (see https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension#enabling-ssl-reverse-proxy-support, e.g.). It works, but it's not very elegant.