AWS ACM verified ALB SSL issue











up vote
0
down vote

favorite












I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



Name: _xxxxxxxxxxx.test.example.com



Type: CNAME



Value: xxxxxx.xxx.acm-validations.aws.


I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



cURL:



Code:



curl -X POST 

  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi 

  -H 'Content-Type: application/json' 

  -H 'cache-control: no-cache' 

  -d '{

    "paras1": "xxxxx"

}'


Error:



* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use http/1.1

* Server certificate:

*  subject: CN=test.example.com

*  start date: Nov 11 00:00:00 2018 GMT

*  expire date: Dec 11 12:00:00 2019 GMT

*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com

* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'

* Closing connection 0

* TLSv1.2 (OUT), TLS alert, Client hello (1):

curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


Python Requests:



Code:



import requests



url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"



payload = "{"paras1": "xxxxx"}"

headers = {

    'Content-Type': "application/json",

    'cache-control': "no-cache"

    }



response = requests.request("POST", url, data=payload, headers=headers)



print(response.text)


Error:



HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 

Max retries exceeded with url: /prod/testapi 

(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))





amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer







share|improve this question


























    up vote
    0
    down vote

    favorite












    I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



    I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



    Name: _xxxxxxxxxxx.test.example.com
    

    
Type: CNAME
    

    
Value: xxxxxx.xxx.acm-validations.aws.


    I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



    cURL:



    Code:



    curl -X POST 
    
  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi 
    
  -H 'Content-Type: application/json' 
    
  -H 'cache-control: no-cache' 
    
  -d '{
    
    "paras1": "xxxxx"
    
}'


    Error:



    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    
* ALPN, server accepted to use http/1.1
    
* Server certificate:
    
*  subject: CN=test.example.com
    
*  start date: Nov 11 00:00:00 2018 GMT
    
*  expire date: Dec 11 12:00:00 2019 GMT
    
*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
    
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
    
* Closing connection 0
    
* TLSv1.2 (OUT), TLS alert, Client hello (1):
    
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


    Python Requests:



    Code:



    import requests
    

    
url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"
    

    
payload = "{"paras1": "xxxxx"}"
    
headers = {
    
    'Content-Type': "application/json",
    
    'cache-control': "no-cache"
    
    }
    

    
response = requests.request("POST", url, data=payload, headers=headers)
    

    
print(response.text)


    Error:



    HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
    
Max retries exceeded with url: /prod/testapi 
    
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))





    amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer







    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



      I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



      Name: _xxxxxxxxxxx.test.example.com
      

      
Type: CNAME
      

      
Value: xxxxxx.xxx.acm-validations.aws.


      I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



      cURL:



      Code:



      curl -X POST 
      
  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi 
      
  -H 'Content-Type: application/json' 
      
  -H 'cache-control: no-cache' 
      
  -d '{
      
    "paras1": "xxxxx"
      
}'


      Error:



      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      
* ALPN, server accepted to use http/1.1
      
* Server certificate:
      
*  subject: CN=test.example.com
      
*  start date: Nov 11 00:00:00 2018 GMT
      
*  expire date: Dec 11 12:00:00 2019 GMT
      
*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
      
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
      
* Closing connection 0
      
* TLSv1.2 (OUT), TLS alert, Client hello (1):
      
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


      Python Requests:



      Code:



      import requests
      

      
url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"
      

      
payload = "{"paras1": "xxxxx"}"
      
headers = {
      
    'Content-Type': "application/json",
      
    'cache-control': "no-cache"
      
    }
      

      
response = requests.request("POST", url, data=payload, headers=headers)
      

      
print(response.text)


      Error:



      HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
      
Max retries exceeded with url: /prod/testapi 
      
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))





      amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer







      share|improve this question













      I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.



      I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:



      Name: _xxxxxxxxxxx.test.example.com
      

      
Type: CNAME
      

      
Value: xxxxxx.xxx.acm-validations.aws.


      I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.



      cURL:



      Code:



      curl -X POST 
      
  https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi 
      
  -H 'Content-Type: application/json' 
      
  -H 'cache-control: no-cache' 
      
  -d '{
      
    "paras1": "xxxxx"
      
}'


      Error:



      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      
* ALPN, server accepted to use http/1.1
      
* Server certificate:
      
*  subject: CN=test.example.com
      
*  start date: Nov 11 00:00:00 2018 GMT
      
*  expire date: Dec 11 12:00:00 2019 GMT
      
*  subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
      
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
      
* Closing connection 0
      
* TLSv1.2 (OUT), TLS alert, Client hello (1):
      
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'


      Python Requests:



      Code:



      import requests
      

      
url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"
      

      
payload = "{"paras1": "xxxxx"}"
      
headers = {
      
    'Content-Type': "application/json",
      
    'cache-control': "no-cache"
      
    }
      

      
response = requests.request("POST", url, data=payload, headers=headers)
      

      
print(response.text)


      Error:



      HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443): 
      
Max retries exceeded with url: /prod/testapi 
      
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))





      amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer




      amazon-web-services ssl ssl-certificate amazon-elb aws-load-balancer






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 20:51









      simonhb1990

      366




      366
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer





















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36


















          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer



















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53253114%2faws-acm-verified-alb-ssl-issue%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer





















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36















          up vote
          2
          down vote



          accepted











          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer





















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36













          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted







          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"





          share|improve this answer













          I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)




          That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:



          url = "https://test.example.com/prod/testapi"






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 12 at 1:59









          Michael - sqlbot

          87.1k12127190




          87.1k12127190












          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36


















          • Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
            – simonhb1990
            Nov 12 at 17:36
















          Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
          – simonhb1990
          Nov 12 at 17:36




          Thanks. I create A record in route 53 to point test.example.com to the ELB and it works.
          – simonhb1990
          Nov 12 at 17:36












          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer



















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00















          up vote
          0
          down vote













          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer



















          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00













          up vote
          0
          down vote










          up vote
          0
          down vote









          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).






          share|improve this answer














          Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html



          Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 12 at 11:45

























          answered Nov 11 at 22:12









          petrch

          31626




          31626








          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00














          • 1




            This question doesn't mention API Gateway.
            – Michael - sqlbot
            Nov 12 at 2:00








          1




          1




          This question doesn't mention API Gateway.
          – Michael - sqlbot
          Nov 12 at 2:00




          This question doesn't mention API Gateway.
          – Michael - sqlbot
          Nov 12 at 2:00


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53253114%2faws-acm-verified-alb-ssl-issue%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Florida Star v. B. J. F.

          Image
          Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
          Read more

          Danny Elfman

          Image
          Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora
          Read more

          Retrieve a Users Dashboard in Tumblr with R and TumblR. Oauth Issues

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I am trying to use the TumblR package in R to set up the Oauth Authentication to Retrieve a user's dashboard using the second example in tumblR documentation However I get the following error, it seems that using twitter others have been able to use a different function to get around this, but I am not finding the same function available for Tumblr. See twitter package for R authentication: error 401 My code consumer_key <- OKey consumer_secret <- SKey appname <- App_name tokenURL <- 'http://www.tumblr.com/oauth/request_token' accessTokenURL <- 'http://www.tumblr.com/oauth/acces_token'
          Read more