Client-side SSL not working with AWS API Gateway

2
votes

I generated a client-side SSL Certificate on API Gateway and added it to my nginx configuration as below:

listen *:443;
ssl on;
server_name api.xxxx.com;
ssl_certificate /etc/letsencrypt/live/api.xxxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.xxxx.com/privkey.pem;
ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl/awsapigateway.crt;

location /home/ubuntu/api  {          
      # if ($ssl_client_verify != SUCCESS) { return 403; }
      # proxy_pass http://my.http.public.endpoint.com;
      # proxy_set_header X-Client-Verify $ssl_client_verify;
}

The client certificate doesn't work after testing via the AWS API gateway test console. It ends up with Error 400 - No required SSL certificate was sent. API Gateway should be sending its client cert to my server with each request, so that I can validate that requests are genuinely coming from API Gateway.

I believe the reason it is not working is I am adding the PEM-encoded public key from the AWS API gateway console directly to awsapigateway.crt. Is that correct?

Additionally, does nginx support self-signed client SSL certificates, which is what AWS is providing us?

1
sslamazon-web-servicesaws-api-gatewaylets-encrypt
A "self-signed" client certificate shouldn't be the issue, since you're using that same cert to validate the incoming cert, which means if it's presented, it's good. You might mention your nginx version, and whether you are using SNI (multiple SSL certs on the same IP), since you might be encountering a bug or unexpected interaction related to client certs and SNI.Michael - sqlbot
nginx version: nginx/1.4.6 (Ubuntu). I dont think I am using SNI as there is only 1 SSL cert configured for the server. On a side note, I am starting to wonder if the 'test' button is actually sending the client cert with the request (I see this in the request payload: {pathWithQueryString: "/wdff", headers: {}, clientCertificateId: "yalaks"}) or if i haven't configured something on AWS properly. Also edited my question to add more lines from my nginx.confcreavery

1 Answers

1
votes

Api Gateway team here.

It looks like the nginx configuration is correct. And for our simple test case we use a node server and simply write the PEM certificate from the console directly to the crt file that is set as the ca, or in this case the ssl_client_certificate.

I'd also test using the actual deployed API if for some reason the test function in the console has an issue. Make sure to use the Stage settings to specify the cert.