Closed StFS closed 2 years ago
Thanks, we'll take a look
A colleague of mine pointed me towards testssl.sh which I ran against our IoT endpoint.
I'm attaching the results of that run but the short version is that the chain of trust is incomplete in Linux and Mozilla but okay in Microsoft, Java and Apple.
Chain of trust NOT ok: Linux (chain incomplete) Mozilla (chain incomplete)
OK: Microsoft Java Apple
I'm not quite sure where to report this to AWS, so can you either do that for me or point me in the right direction?
@biffgaut you can disregard this report (although documentation could possibly be improved slightly).
Our TAM team pointed out that the IoT endpoints come in two varieties. The "plain" one is the one that the aws iot describe-endpoint
returns to you and has the broken SSL certificate chain. However, there is another one which has -ats
appended to the first part of the FQDN of the IoT endpoint.
This lead me to this blog post explaining where the ATS comes from.
So all I needed to do was to make sure that I added the -ats
suffix and things started working.
The aws-apigateway-iot solutions construct pattern uses the ATS version of the endpoint but there is no documentation explaining what that is. I just thought that in the example used, -ats
was a part of the regular endpoint hostname and didn't give it another thought and just used what aws iot describe-endpoint
reported to me. Turns out that you have to append -ats
to that hostname for it to have a proper cert chain that works with apigateway.
Reopening to review the docs.
@biffgaut I created a PR if it helps. Maybe you want to fix the wording though.
Resolved in #827
Deploying the aws-apigateway-iot solutions construct pattern doesn't work because the API Gateway cannot communicate with the IoT Data endpoint due to an SSL error.
Reproduction Steps
Deploy the aws-apigateway-iot pattern to AWS (I deployed to
eu-central-1
but I've tried a few regions and they all seem to behave the same).Try calling the API endpoint and post a message to the topic through the API Gateway "test" UI.
Observe the error that occurs and is displayed in the response (see error log below):
Error Log
Environment
Other
I also did some experiments from my dev machine to verify that the certificate used by the IoT Endpoint was strange:
This, of course, isn't really a bug with the CDK construct but it seems to result in the example provided in this project not working out of the box. If any workaround is possible, I would like to know about that of course.
So I would think that one of two things needs to happen here:
This is :bug: Bug Report