AWS ACM verified ALB SSL issue









up vote
0
down vote

favorite












I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



Name: _xxxxxxxxxxx.test.example.com

Type: CNAME

Value: xxxxxx.xxx.acm-validations.aws.


I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



cURL:



Code:



curl -X POST 
https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi
-H 'Content-Type: application/json'
-H 'cache-control: no-cache'
-d '
"paras1": "xxxxx"
'


Error:



* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=test.example.com
* start date: Nov 11 00:00:00 2018 GMT
* expire date: Dec 11 12:00:00 2019 GMT
* subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


Python Requests:



Code:



import requests

url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

payload = ""paras1": "xxxxx""
headers =
'Content-Type': "application/json",
'cache-control': "no-cache"


response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)


Error:



HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
Max retries exceeded with url: /prod/testapi
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))









share|improve this question

























    up vote
    0
    down vote

    favorite












    I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



    I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



    Name: _xxxxxxxxxxx.test.example.com

    Type: CNAME

    Value: xxxxxx.xxx.acm-validations.aws.


    I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



    cURL:



    Code:



    curl -X POST 
    https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi
    -H 'Content-Type: application/json'
    -H 'cache-control: no-cache'
    -d '
    "paras1": "xxxxx"
    '


    Error:



    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    * subject: CN=test.example.com
    * start date: Nov 11 00:00:00 2018 GMT
    * expire date: Dec 11 12:00:00 2019 GMT
    * subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
    * SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
    * Closing connection 0
    * TLSv1.2 (OUT), TLS alert, Client hello (1):
    curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


    Python Requests:



    Code:



    import requests

    url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

    payload = ""paras1": "xxxxx""
    headers =
    'Content-Type': "application/json",
    'cache-control': "no-cache"


    response = requests.request("POST", url, data=payload, headers=headers)

    print(response.text)


    Error:



    HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
    Max retries exceeded with url: /prod/testapi
    (Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))









    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



      I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



      Name: _xxxxxxxxxxx.test.example.com

      Type: CNAME

      Value: xxxxxx.xxx.acm-validations.aws.


      I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



      cURL:



      Code:



      curl -X POST 
      https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi
      -H 'Content-Type: application/json'
      -H 'cache-control: no-cache'
      -d '
      "paras1": "xxxxx"
      '


      Error:



      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      * ALPN, server accepted to use http/1.1
      * Server certificate:
      * subject: CN=test.example.com
      * start date: Nov 11 00:00:00 2018 GMT
      * expire date: Dec 11 12:00:00 2019 GMT
      * subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
      * SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
      * Closing connection 0
      * TLSv1.2 (OUT), TLS alert, Client hello (1):
      curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


      Python Requests:



      Code:



      import requests

      url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

      payload = ""paras1": "xxxxx""
      headers =
      'Content-Type': "application/json",
      'cache-control': "no-cache"


      response = requests.request("POST", url, data=payload, headers=headers)

      print(response.text)


      Error:



      HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
      Max retries exceeded with url: /prod/testapi
      (Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))









      share|improve this question













      I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



      I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



      Name: _xxxxxxxxxxx.test.example.com

      Type: CNAME

      Value: xxxxxx.xxx.acm-validations.aws.


      I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



      cURL:



      Code:



      curl -X POST 
      https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi
      -H 'Content-Type: application/json'
      -H 'cache-control: no-cache'
      -d '
      "paras1": "xxxxx"
      '


      Error:



      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      * ALPN, server accepted to use http/1.1
      * Server certificate:
      * subject: CN=test.example.com
      * start date: Nov 11 00:00:00 2018 GMT
      * expire date: Dec 11 12:00:00 2019 GMT
      * subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
      * SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
      * Closing connection 0
      * TLSv1.2 (OUT), TLS alert, Client hello (1):
      curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


      Python Requests:



      Code:



      import requests

      url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"

      payload = ""paras1": "xxxxx""
      headers =
      'Content-Type': "application/json",
      'cache-control': "no-cache"


      response = requests.request("POST", url, data=payload, headers=headers)

      print(response.text)


      Error:



      HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
      Max retries exceeded with url: /prod/testapi
      (Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))






      amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 20:51









      simonhb1990

      366




      366






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer




















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36

















          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer


















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53253114%2faws-acm-verified-alb-ssl-issue%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer




















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36














          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer




















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted







          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer













          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 12 at 1:59









          Michael - sqlbot

          86.9k12127190




          86.9k12127190











          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36
















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36















          Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
          – simonhb1990
          Nov 12 at 17:36




          Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
          – simonhb1990
          Nov 12 at 17:36












          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer


















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00














          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer


















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00












          up vote
          0
          down vote










          up vote
          0
          down vote









          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer














          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 12 at 11:45

























          answered Nov 11 at 22:12









          petrch

          31626




          31626







          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00












          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00







          1




          1




          This question doesn't mention API Gateway.
          – Michael - sqlbot
          Nov 12 at 2:00




          This question doesn't mention API Gateway.
          – Michael - sqlbot
          Nov 12 at 2:00

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53253114%2faws-acm-verified-alb-ssl-issue%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto