We have a requirement where we need to call third party APIs which requires a certification validation. As these APIs are to be called with secret rotation hence we have created a Lambda which fetches certificate from s3 bucket and attaches with http requests. The same lambda is attached to Secret Rotation configuration. But we got error for API call as
"The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot"
After looking for a solution stumbled upon an approach as stated here https://dev.to/leading-edje/aws-lambda-layer-for-private-certificates-465j. Created a lambda layer with certificate zipped inside layer. And also added environment variable as "SSL_CERT_FILE" with path opt/bin/certname or opt/certname. Still it gives the same error. Also exported layer contents to check if certificate is actually present which it is indeed.
It is .Net Core Lambda.
Not sure what is missing. Any help would be appreciated
2
Answers
"Many TLS/SSL libraries or application frameworks have mechanisms to add additional root certificates to the "trust store". Once this is configured, any connections using certificates that were signed by the private root certificate will be automatically trusted.
On Linux (and macOS) .NET Core uses OpenSSL for cryptography and OpenSSL allows you to add additional root certificates from a file (in PEM format) using the SSL_CERT_FILE environment variable. The root certificate doesn't need to be "installed" into the environment". I had uploaded public [.cer] certificate in lambda layer and it was not working. I uploaded private [.pem] certificate after which issue got resolved.
Do you have certificates for the whole certificate chain. Usually there are at least 3 in a chain
Are you sure SSL_CERT_FILE contains all of them?
You can you the command below to see how many certificates are in the chain.