Cname for AWS API Gateway custom domain
Multi tool use
Clash Royale CLAN TAG#URR8PPPCname for AWS API Gateway custom domain
the concept is simple.
Create a Cname switch that points to blue / green deployment channels via AWS API Gateway. The API has two stages for blue and green mapped back into an environment variable which in turns maps back into the Lambda alias associated with it's own dedicated version. Therefore there are now two separate channels for conducting deployments into. All of this works fine.
The issue arises when a Cname is created in Route53 to point to either of the API Gateways blue or green custom domains. The SSL cert is held in AWS Certificate Manager.
When we call the blue endpoint via the Cname we get an SSL error
curl -Il -H "Host:blue-api.example.com" -H "x-api-key:xxxxxxxxx"
-X GET https://cname-api.example.com/questions/health
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
Whereas when we call the custom domain directly it works
curl -Il -H "Host:blue-api.example.com" -H "x-api-key:xxxxxxxxx"
-X GET https://blue-api.example.com/questions/health
HTTP/1.1 200 OK
Any pointers or suggestions would be much appreciated?
Response to first comment
Thanks Michael - yes we've exported the the SSL Cert's from eu-west-1 into the AWS Cert Manager for us-east-1, as we are running an edge optimised custom domain name. The API Gateway generated Cloudfront is hosted in us-east-1 along with the costom domain and the cname, but the root domain is hosted in eu-west-1. This may be the issue?
We are trying some further tests around enabling the following headers and will report back -
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: true
method.response.header.Access-Control-Allow-Methods: true
method.response.header.Access-Control-Allow-Origin: true
I realise that we can use one custom domain, and carve up the channels using stages mapped to paths instead, but the aforementioned is the preferred solution.
We also have a ticket open with AWS as this has also flummoxed them, and has been escalated to their Internal service team.
:)
Host
1 Answer
1
So after many weeks for too'ing and fro'ing with Amazon Support we got a solution working, but perhaps not the most cost effective as the early solution mentioned.
Workflow -
1.Create API GW, where each stage has it's own custom domain.
E.G. blue-stage > blue-api.example.com and green-stage > green-api.example.com
2.Then create a Cname in the same AWS region as where the API GW has been created.
E.G. cname-api.example.com
3.Create a Cloudfront instance with the same DNS entry (duplicate) used for the Cname (cname-api.example.com) and point this Cloudfront instance to an arbitrary S3 bucket.
Now make the request
curl -Il -H "Host:blue-api.example.com" -H "x-api-key:xxxxxxxxx"
-X GET https://cname-api.example.com/questions/health
HTTP/1.1 200 OK
Yes this is overkill for what we need to achive and also not the most cost effective nor are we doing KISS (Keep It Simple Stupid). So yeah - it would be great to hear back on how others are building similar infrastructure!
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
You can't arbitrarily point a CNAME to an API Gateway endpoint, which is what it sounds like you are doing. The endpoint you point to has to be the one endpoint that is configured to expect that value in the
Hostheader and SNI. It isn't clear exactly how (or whether) you have attempted to link the custom hostname with the deployment within API Gateway or associate the ACM cert with it.– Michael - sqlbot
Jul 19 at 0:46