Lambda API 调用使用证书出现错误,因为证书链中存在错误:UntrustedRoot。

huangapple go评论115阅读模式
英文:

Lambda API Call with Certificate Gives The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

问题

我们有一个需求,需要调用需要证书验证的第三方API。由于这些API需要进行密钥轮换,因此我们创建了一个Lambda函数,从S3存储桶中获取证书并将其附加到HTTP请求中。同样的Lambda函数也附加到了密钥轮换配置中。但在调用API时出现了错误,错误消息如下:

"由于证书链中的错误而使远程证书无效:不受信任的根证书"

在寻找解决方案时,我们偶然发现了一个方法,如下所述:https://dev.to/leading-edje/aws-lambda-layer-for-private-certificates-465j。我们创建了一个Lambda层,将证书压缩在层内。还添加了一个名为"SSL_CERT_FILE"的环境变量,路径为opt/bin/certname或opt/certname。但仍然出现相同的错误。还导出了层的内容以检查证书是否实际存在,结果证实证书确实存在。

这是一个.Net Core Lambda函数。

不确定缺少什么。任何帮助将不胜感激。

Lambda API 调用使用证书出现错误,因为证书链中存在错误:UntrustedRoot。

英文:

We have a requirement where we need to call third party APIs which requires a certification validation. As these APIs are to be called with secret rotation hence we have created a Lambda which fetches certificate from s3 bucket and attaches with http requests. The same lambda is attached to Secret Rotation configuration. But we got error for API call as
"The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot"

After looking for a solution stumbled upon an approach as stated here https://dev.to/leading-edje/aws-lambda-layer-for-private-certificates-465j. Created a lambda layer with certificate zipped inside layer. And also added environment variable as "SSL_CERT_FILE" with path opt/bin/certname or opt/certname. Still it gives the same error. Also exported layer contents to check if certificate is actually present which it is indeed.

It is .Net Core Lambda.

Not sure what is missing. Any help would be appreciated

Lambda API 调用使用证书出现错误,因为证书链中存在错误:UntrustedRoot。

答案1

得分: 0

您是否拥有完整的证书链?通常,证书链至少包括3个部分:

  1. CA(根证书)
  2. 中间证书颁发机构(由1签发)
  3. 服务器证书(由2签发)

您确定 SSL_CERT_FILE 包含了它们所有吗?

您可以使用以下命令查看链中有多少证书:

openssl s_client -showcerts -connect your-api-host:443
英文:

Do you have certificates for the whole certificate chain. Usually there are at least 3 in a chain

  1. CA (root)
  2. Intermediate CA (signed by 1)
  3. Server Certificate (signed by 2)

Are you sure SSL_CERT_FILE contains all of them?

You can you the command below to see how many certificates are in the chain.

openssl s_client -showcerts -connect your-api-host:443

答案2

得分: 0

"许多 TLS/SSL 库或应用程序框架都具有将额外的根证书添加到“信任存储”中的机制。一旦配置完成,任何使用由私有根证书签名的证书的连接将自动受信任。

在 Linux(和 macOS)上,.NET Core 使用 OpenSSL 进行加密,OpenSSL 允许您使用 SSL_CERT_FILE 环境变量从文件(以 PEM 格式)添加额外的根证书。根证书不需要“安装”到环境中。我在 Lambda 层中上传了公共 [.cer] 证书,但它不起作用。之后,我上传了私有 [.pem] 证书,问题得以解决。"

英文:

"Many TLS/SSL libraries or application frameworks have mechanisms to add additional root certificates to the "trust store". Once this is configured, any connections using certificates that were signed by the private root certificate will be automatically trusted.

On Linux (and macOS) .NET Core uses OpenSSL for cryptography and OpenSSL allows you to add additional root certificates from a file (in PEM format) using the SSL_CERT_FILE environment variable. The root certificate doesn't need to be "installed" into the environment". I had uploaded public [.cer] certificate in lambda layer and it was not working. I uploaded private [.pem] certificate after which issue got resolved.

huangapple
  • 本文由 发表于 2023年4月7日 02:45:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/75952793.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定