skip to Main Content

We have a requirement where we need to call third party APIs which requires a certification validation. As these APIs are to be called with secret rotation hence we have created a Lambda which fetches certificate from s3 bucket and attaches with http requests. The same lambda is attached to Secret Rotation configuration. But we got error for API call as
"The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot"

After looking for a solution stumbled upon an approach as stated here https://dev.to/leading-edje/aws-lambda-layer-for-private-certificates-465j. Created a lambda layer with certificate zipped inside layer. And also added environment variable as "SSL_CERT_FILE" with path opt/bin/certname or opt/certname. Still it gives the same error. Also exported layer contents to check if certificate is actually present which it is indeed.

It is .Net Core Lambda.

Not sure what is missing. Any help would be appreciated

enter image description here

2

Answers


  1. Chosen as BEST ANSWER

    "Many TLS/SSL libraries or application frameworks have mechanisms to add additional root certificates to the "trust store". Once this is configured, any connections using certificates that were signed by the private root certificate will be automatically trusted.

    On Linux (and macOS) .NET Core uses OpenSSL for cryptography and OpenSSL allows you to add additional root certificates from a file (in PEM format) using the SSL_CERT_FILE environment variable. The root certificate doesn't need to be "installed" into the environment". I had uploaded public [.cer] certificate in lambda layer and it was not working. I uploaded private [.pem] certificate after which issue got resolved.


  2. Do you have certificates for the whole certificate chain. Usually there are at least 3 in a chain

    1. CA (root)
    2. Intermediate CA (signed by 1)
    3. Server Certificate (signed by 2)

    Are you sure SSL_CERT_FILE contains all of them?

    You can you the command below to see how many certificates are in the chain.

    openssl s_client -showcerts -connect your-api-host:443
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search