Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All
Cloud-AWS
Troubleshoot API Gateway certificate issues for custom domains using TLS

How can I troubleshoot certificate chain and self-signed certificate issues for Amazon API Gateway with custom domains and mutual TLS enabled?

Last updated: 2022-11-01

I am using mutual Transport Layer Security (TLS) authentication with Amazon API Gateway with a custom domain name. I am getting certificate chain or self-signed certificate errors. How can I troubleshoot this?

Short description

Before you begin, make sure that you have:

  • Set up a custom domain name for Amazon API Gateway.
  • Created the certificate chain and self-signed certificate.
  • Imported the certificate chain and self-signed certificate into AWS Certificate Manager (ACM).
  • Configured your truststore and upload it to an Amazon Simple Storage Service (Amazon S3).

Resolution

For a list of specific error messages when invoking your Amazon API Gateway API, run a curl command similar to the following:

$ curl -v https://mtls.example.info/test-apigw-mtls --key self-signed.key --cert self-signed.pem:"example"

Client errors

"curl: (58) could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?"

This error means that the PEM file has the wrong name, location, or file format. For example, the certificate file format stored locally is .crt , but the .pem file was used instead in the API request. To resolve this, make sure that the local client certificate has the correct format and name.

"curl: (6) Could not resolve host: mtls.example.info"

The client wasn't able to resolve the domain name. Make sure that the domain name and configuration are correct.

"url: (58) schannel: Failed to import cert file self-signed.pem, last error is 0x80092002"

This error means that there is an issue with the local client .pem file. Make sure that the .pem file includes the correct name and format.

"curl: (58) unable to set private key file: 'self-signed.key' type PEM"

This error means that there is an issue with the local client file. Make sure that the private key provided in the HTTP request is not missing and correct.

Server errors

"Access denied. Reason: self-signed certificate."

Verify that the self-signed client certificate in the API request isn't altered or corrupted.

The following must match exactly:

  • The modulus of the private key ( private.key ) used to sign the self-signed certificate within the truststore in Amazon S3 ( bundle.crt or bundle.pem ).
  • The modulus from the client's certificate passed in the API request ( client.crt ).

To compare the two modulus, run the following OpenSSL commands:

$ openssl rsa -noout -modulus -in private.key
$ openssl x509 -noout -modulus -in bundle.crt
$ openssl x509 -noout -modulus -in client.crt

Note: To produce a shorter hash value for easier comparison, you can use PIPE to send the output modulus into a cryptographic hash function. For example: openssl sha1 .

$ openssl [operation] -noout -modulus -in [data] | openssl sha1

Valid command output examples:

2143831a73a8bb28467860df18550c696c03fbcb
2143831a73a8bb28467860df18550c696c03fbcb
2143831a73a8bb28467860df18550c696c03fbcb

To confirm data integrity, verify that there wasn't any data modification at the content level by running the following diff command:

$ diff client.crt bundle.crt

Introducing mutual TLS authentication for Amazon API Gateway

How do I troubleshoot HTTP 403 Forbidden errors from an API Gateway custom domain name that requires mutual TLS?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Create a private integration using an ALB for an API Gateway HTTP API

How to create a private integration using an internal Application Load Balancer for an Amazon API Gateway HTTP API?

Last updated: 2022-10-28

I want to create a private integration using an internal Application Load Balance for an Amazon API Gateway HTTP API. How can I do this?

Resolution

Follow these instructions to create the Amazon Virtual Private Cloud (Amazon VPC) link, HTTP API, private integration, and deploy the HTTP API.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    If you haven't already done so, follow the instructions to create an Application Load Balancer.

2.    Open the API Gateway console, and in the navigation pane choose VPC links .

3.    From VPC Links , choose Create .

(Optional) You can also create a VPC link by using the AWS CLI command create-vpc-link similar to the following:

aws apigatewayv2 create-vpc-link --name MyVpcLink \
    --subnet-ids subnet-aaaa subnet-bbbb \
    --security-group-ids sg1234 sg5678

4.    From Choose a VPC link version , choose VPC link for HTTP APIs .

5.    For Name , enter a name for your VPC link.

6.    Choose the VPC dropdown list, choose a VPC for your Application Load Balancer to connect to.

7. For Subnets , choose your subnets to include in the VPC link.

8.    For Security groups , choose the security groups for the VPC link, and then choose Create .

Create an HTTP API and route

1.    Open the API Gateway console, and then choose Create API .

2.    For HTTP API , choose Build .

3.    For API name , enter a name, and then choose Next .

4.    For Configure routes , choose Next .

5.    For Configure stages , choose Next , and then choose Create .

6.    In the navigation pane, choose Routes , and then choose Create .

7.    For Method , choose ANY .

8.    For path, enter /{proxy+} and choose Create .

Create a private integration and deploy the HTTP API

1.    Open the API Gateway console, and then choose your HTTP API.

2.    In the navigation pane, choose Integrations .

3.    For Integrations , choose Manage integrations , and then choose Create .

4.    For Attach this integration to a route, choose ANY /{proxy+} .

5.    For Integration target , choose Private resource .

6.    For Integration details , choose Select manually .

7.    For Target service , choose ALB/NLB .

8.    For Load balancer , choose your load balancer.

9.    For Listener , choose HTTP 80 .

10.    For VPC link , choose your VPC, and then choose Create .

11.    (Skip this step if auto deploy is active) Choose Deploy to deploy your HTTP API.

12.    For Invoke URL , copy the URL and paste it into a new browser window. For example, https://abcdef123.execute-api.us-east-1.amazonaws.com.

The HTTP API URL renders successfully in the browser window.


Amazon API Gateway HTTP API tutorials

How do I map the response status codes for API Gateway integrations in HTTP APIs?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article
Pass a connectionId or custom token to VPC Link integration as a header for API Gateway WebSocket APIs

How can I pass a connectionId or custom token to VPC Link integration as a header for Amazon API Gateway WebSocket APIs?

Last updated: 2022-10-26

I want to pass a connectionId or custom token to VPC Link integration as a header for my Amazon API Gateway WebSocket API. How can I do this?

Short description

For WebSocket APIs, the connectionId is required to send a callback response from the backend. By default, WebSocket APIs don't pass the ConnectionId to VPC link integration.

Resolution

Using the Amazon API Gateway console and AWS CLI

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Follow the instructions to create a REST API VPC link and associate it with your Network Load Balancer.

2.    Follow the instructions to set up a WebSocket API integration and create a VPC link private integration endpoint.

3.    To retrieve the integration ID, run the AWS CLI command get-integrations similar to the following:

aws apigatewayv2 get-integrations --api-id <api-id>

4.    Create and save a JSON file named integration.json in the following format:

{
    "ApiId": "<api-id>",
    "IntegrationId": "<integration id retrieved from previous step>",
    "RequestParameters": {
        "integration.request.header.ConnectionId": "context.connectionId", //passing context variable connectionId as ConnectionId header to backend
        "integration.request.header.<header-key>": "route.request.body.<parameter>", // passing a request body parameter as header to backend
        "integration.request.querystring.<querysting-key>": "'static value'" //passing static value as querystring to backend
    }
}

Note: Before proceeding to step 5 , remove the comments noted with the forward slashes " // ".

5.    To update the integration, run the AWS CLI command update-integration similar to the following:

aws apigatewayv2 update-integration --cli-input-json file://integration.json
6.    To apply these changes, follow the instructions to deploy the REST API.

Using AWS CloudFormation

If you manage Amazon API Gateway using CloudFormation, you can use the AWS::ApiGatewayV2::Integration resource to configure request parameters similar to the following:

Integration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref websocket
      ConnectionId: !Ref <VPC-Link-connection-id>
      ConnectionType: VPC_LINK
      IntegrationMethod: <HTTP method to backend >
      IntegrationType: <HTTP_PROXY/HTTP>
      IntegrationUri: "<endpoint-url>"
      RequestParameters:
        "integration.request.header.connectionId": "context.connectionId" #passing context variable 'connectionId' as ConnectionId header to backend
        "integration.request.header.<header-key>": "route.request.body.<parameter>"  #passing a request body parameter as header to backend
        "integration.request.querystring.<querystring-key>": "'static value'" #passing static value as querystring to backend

You can use data mapping to map data from a route request to the VPC link backend integration. For more information, see Map route request data to integration request parameters.


Setting up WebSocket API integrations

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article
Troubleshoot "internal server" error status code 500 for API Gateway enpoints with Lambda integration

How can I troubleshoot the "internal server" error with status code 500 for API Gateway endpoints that integrate with Lambda?

Last updated: 2022-10-19

I sent an HTTP request to my Amazon API Gateway API endpoint that integrates with AWS Lambda (for example, /lambda-resource GET). I received a status code 500 response with the following error: {"message": "Internal server error"}

How can I troubleshoot this error?

Short description

This error might be due to:

  • Lambda function permissions
  • Throttling issues
  • Incorrect or missing HTTP status code mapping
  • Unhandled errors

Resolution

Before you begin, follow the steps to turn on Amazon CloudWatch Logs for troubleshooting API Gateway errors.

Note: For Log level , choose INFO to generate execution logs for all requests.

Lambda function permissions

The error “Invalid permissions on Lambda function” occurs if API Gateway doesn't have permissions to invoke the Lambda function. To resolve this, see How do I resolve "Invalid permissions on Lambda function" errors from API Gateway REST APIs?

Note: If you used another service, such as AWS CloudFormation, to deploy your API Gateway resources, make sure that you have permissions to the AWS::Lambda::Permission resource.

Throttling issues

If the backend service is throttled due to a high number of requests, the API Gateway API might return an "Internal server error". You can activate an exponential backoff and retry mechanism and try the request again. If the issue persists, check your API Gateway quota limit. If you exceeded the service quota limit, you can request a quota increase.

You might also receive "Rate exceeded" and 429 "TooManyRequestsException" errors due to Lambda function throttling issues. For more information, see How do I troubleshoot Lambda function throttling with "Rate exceeded" and 429 "TooManyRequestsException" errors?

You can also request an increase for the Lambda function's concurrency limit so that the function doesn't get throttled. For instructions, see How do I request a concurrency limit increase for my Lambda function?

Incorrect or missing HTTP status code mapping

Incorrect or missing HTTP status code mapping can also result in 500 errors similar to the following:

"Execution failed due to configuration error: Output mapping refers to an invalid method response: 2xx/4xx/5xx".

To resolve this error, make sure that an API method response exists for the status code returned from the backend and is mapped correctly.

Unhandled errors

Unhandled errors in Lambda indicate that the function timeouts due to errors in the function code. To prevent this error, make sure that the Lambda function code is idempotent.

You can also use the debugging tool AWS X-Ray to get more details on how long different sections of your function’s code takes to complete.

For more information, see Error handling patterns in Amazon API Gateway and AWS Lambda.


How can I troubleshoot 5xx errors for API Gateway?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article
Delete an Amazon VPC link for an Amazon Gateway REST API

How can I delete an Amazon VPC link for my Amazon Gateway REST API?

Last updated: 2022-10-04

I'm trying to delete my Amazon Virtual Private Cloud (Amazon VPC) link for my Amazon Gateway REST API and received the following error:

"Cannot delete VPC link referenced in format of [Method:Resource]."

How can I resolve this?

Short description

If a resource using the Amazon VPC link integration is deleted, then you can't delete the link.

Resolution

To delete the Amazon VPC link, follow these steps depending on whether the REST API was or was not deployed.

Deployed REST APIs

Switch the integration type from the Amazon VPC link to another type. For example, a mock integration, HTTP integration, or AWS integration type. After switching the integration type, redeploy the REST API to the same stage name that you previously deployed. Then, try deleting the Amazon VPC link again.

Undeployed REST APIs

Switch the integration type from the Amazon VPC link to another type. For example, a mock integration, HTTP integration, or AWS integration type. Then, try deleting the Amazon VPC link again.


Tutorial: Build a REST API with API Gateway private integration

How can I access an API Gateway private REST API in another AWS account using an interface VPC endpoint?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article
Access an Amazon API Gateway API from another AWS account

How can I access an Amazon API Gateway API from another AWS account?

Last updated: 2022-10-03

I want to access an Amazon API Gateway API from another AWS account. How can I do this?

Short description

Public API endpoints (Regional or edge-optimized) can be accessed directly from the public endpoint stage URL or a custom domain name.

Private REST APIs endpoints can be accessed from a virtual private cloud in Amazon Virtual Private Cloud (Amazon VPC) using an interface VPC endpoint.

Amazon API Gateway endpoints can be accessed using AWS Identity and Access Management (IAM) authentication with cross-account access.

Resolution

Public API endpoints

You can access API Gateway public endpoints directly from the API stage URL. For example, https://0123456789.execute-api.{region}.amazonaws.com/{stage-name}.

You can also access API Gateway public endpoints using a custom domain name in a public hosted zone.

Note: Custom domain names aren't supported for private APIs.

For more information, see How can I set up a custom domain name for my API Gateway API?

Private REST API endpoints

You can access API Gateway private REST APIs in another AWS account with an Amazon Virtual Private Cloud (Amazon VPC) using an interface endpoint.

If your private REST API is located in an AWS account and you want to access it from another account, you can edit the resource policy.

For more information, see How can I access an API Gateway private REST API in another AWS account using an interface VPC endpoint?

APIs using IAM authentication

Additional configuration is required to access an API Gateway API with cross-account access that uses IAM authentication. The IAM role of the source account must be allowed explicit access in the resource policy similar to the following:

REST APIs

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::account-id-2:user/Alice",
          "account-id-2"
        ]
      },
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:us-east-1:{account-id}:{api-id}/*/*/*"
      ]
    }
  ]
}

For more information, see How do I activate IAM authentication for API Gateway REST APIs?

HTTP APIs

The option to use resource policies to provide IAM authentication for cross-accounts isn't available for API Gateway HTTP APIs.

You can use the sts:AssumeRole API action to assume a role for the HTTP API account. The assumed role provides temporary security credentials that can be used to invoke the HTTP API in another account.

For more information, see How can I provide cross-account IAM authorization for API Gateway HTTP APIs?


Creating a private API in Amazon API Gateway

Example: Allow users in another AWS account to use an API

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article