I have two reverse proxies set up to access
- OpenSearch
- Neptune DB.
I use the public IP address of the EC2 instance in which ngnix is running and can sucessfully get results using their url’s on the browser, either querying OpenSearch or Neptune DB with gremlin (i.e.: https://ec2-public-adress.amazonaws.com:NEPTUNEport/?gremlin=g.V().count().limit(2)).
However, when I try via gremlinpython client, I do not succeed due to an SSL certificate error.
from gremlin_python.driver import client
# Neptune connection setup
neptune_endpoint = os.environ.get('NEPTUNE_ENDPOINT')
neptune_port = os.environ.get('NEPTUNE_PORT')
neptune_uri = f'wss://{neptune_endpoint}:{neptune_port}/gremlin'
conn = client.Client(neptune_uri,'g')
# Gremlin query to retrieve sentenceID from the 'Sentences' label
query_existing_IDs = """
g.V().hasLabel('Sentences').values('sentenceID').limit(2)
"""
response = conn.submit(query_existing_IDs)
result = response.all().result()
print(result)
I get
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot
connect to host xxxx.compute-1.amazonaws.com:xxxx ssl:True
[SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid
for ‘xxxx.compute-1.amazonaws.com’. (_ssl.c:1002)")] Unclosed client
session client_session: <aiohttp.client.ClientSession object at
0x000001D6BBD25390>
I tried writing "127.0.0.1 localhost xxx.compute-1.amazonaws.com:xxxx" to my hosts file and saving it, but with no success.
PS.: I do have to go through and forcedly ignore some warnings of insecure website when querying the databases from the browser. Probably relates to the SSL certificate failing too.
2
Answers
So this is working as expected. The SSL certs used by the Neptune service are only signed using the related Neptune endpoints (cluster endpoint, reader endpoint, and associated instance endpoint). If you send an HTTP request (through a proxy, for example) then the host header for that request is not going to equal any of the hostnames used in creating the SSL cert. Hence the SSL cert invalid response.
From a security perspective, it is generally bad practice to ignore SSL cert validation when making requests to a given service. I would suggest one of two approaches to handle this:
or
An alternative to these approaches is to put your middle-tier/API layer within the AWS VPC where Neptune is hosted. And then only expose your API endpoints publicly. If using AWS API Gateway, this becomes even more secure as you can enable things like API throttling and even front the API Gateway with a Web Application Firewall (WAF).
If you’re seeing an SSL certificate error while trying to access Neptune DB through an Nginx reverse proxy, here are some simple steps to troubleshoot:
Check Your SSL Certificate:
Make sure your SSL certificate is up to date and hasn’t expired. Renew it if needed.
Verify Certificate Installation:
Double-check that you’ve installed the SSL certificate correctly on both Neptune DB and Nginx.
Look into Nginx Configurations:
Examine your Nginx configuration files. Pay attention to settings like ssl_certificate and ssl_certificate_key.
Check for SNI Issues:
If you have multiple SSL certificates, ensure Server Name Indication (SNI) is set up properly in Nginx.
Inspect SSL Protocols and Ciphers:
Review SSL protocols and ciphers in your Nginx settings. Ensure they match Neptune DB requirements.
Verify Neptune DB Security Group:
Confirm that Neptune DB’s security group allows incoming connections on the SSL port, and Nginx is permitted to communicate.
Look for Error Messages:
Check Nginx error logs (/var/log/nginx/error.log) for SSL-related issues. Neptune DB logs might also provide useful info.
Update Nginx and OpenSSL:
Ensure Nginx and OpenSSL are up to date to avoid any known SSL vulnerabilities.
By going through these steps, you can likely pinpoint and resolve the SSL certificate error smoothly.