1

Well, I have a AWS::ApiGateway::RestApi resource that generates always a url like this: https://{GATEWAYID}.execute-api.{REGION}.amazonaws.com/{STAGE}

So, I created I CNAME in Route 53, with the following characteristics:

  CnameRoute53Api:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneId: !Ref MyHostedZone
      Name: api.privatedomain
      Type: CNAME
      TTL: 300
      ResourceRecords:
        - !Sub ${GatewayId}.execute-api.${AWS::Region}.amazonaws.com
    DependsOn: MyHostedZone

As you can see I'm creating a CNAME inside my private hostedzone pointing to my gateway. Now I'm trying to make a CURL inside a EC2 in this account:

curl -v https://api.privatedomain

And I got the following error:

url: (51) SSL: no alternative certificate subject name matches target host name 'api.privatedomain'

I understand that SSL certificate is not prepared to accept request from "api.privatedomain". Is there anyway to fix it ? I don't want to buy a custom domain to expose my api to internet, this api will be accessible only inside this account.

Ronaldo Lanhellas
  • 2,975
  • 5
  • 46
  • 92

1 Answers1

1

As you already observed, you can't do this due to SSL issues. If you don't want to use AWS provided API default domain, you have to buy your own public domain for which you can get free, public SSL certificate using ACM.

But anyway, if you don't want to have public API, why not create private API. At the moment, your private zone will resolve to public API over the internet. Thus its rather counter productive to use private zone for that.

The use of private API, unlike public API, ensures that entire traffic between your instance and the API does not happen over the internet.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • So, if I understand the only way is to use private dns generates by aws amazon gateway, something like execute-api.region, Right? – Ronaldo Lanhellas Feb 26 '21 at 00:58
  • @RonaldoLanhellas I'm not sure if this is the only way, but I think its most logical way. You have private HZ for private API. Otherwise, keep API public and get normal domain for it. – Marcin Feb 26 '21 at 01:00
  • @RonaldoLanhellas Also with curl, you can ignore the warring about ssl using `-k` flag. You can try with that `curl -v -k https://api.privatedomain` – Marcin Feb 26 '21 at 01:03
  • When you say "you have private HZ for private API", not really, because I can't point my HZ to aws gateway because SSL problem. – Ronaldo Lanhellas Feb 26 '21 at 01:07
  • 1
    @RonaldoLanhellas You can point. Route53 does not worry about ssl. Its only your applications that check it, such as `curl`. Try `curl -v -k https://api.privatedomain`. – Marcin Feb 26 '21 at 01:09
  • I agree, but my net core application that need calls this api through route 53 will crash with ssl problem. Sure that I can configure to ignore the problem but I really think this is not a good option, like use curl -k – Ronaldo Lanhellas Feb 26 '21 at 01:11
  • @RonaldoLanhellas I verified, with private API you will get same SSL errors. Using `curl -k` will ignore them, but API will return forbidden access. And you can't setup private custom domain for the api, at least I haven't found a way for that. – Marcin Feb 26 '21 at 06:01
  • @RonaldoLanhellas No problem. For now it seems that you have to stick with aws provided dns for private api, or get your own domain for public API. But public domain can't be for your private HZ. It must be normal public domain. – Marcin Feb 26 '21 at 11:02
  • Ok, thanks again Marcin, I will following using private dns provided by aws – Ronaldo Lanhellas Feb 26 '21 at 11:20