Certificate Chain error when creating custom domain name

[jakul]

Hi,

I'm trying to make a Custom Domain Name, using a certificate I just uploaded to IAM, but CloudFormation gives an error when trying to create it.

Failed to create resource. BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4). See the details in CloudWatch Log Stream: 2016/07/18/[$LATEST]b115a9ff77954bba9d8b3f64cc6af1f6

I think there is some problem with the decoding/ re-encoding of the certificate chain, because it comes out looking deformed in the log messages from the lambda:

2016-07-18T11:24:27.301Z    2f501ec2-4cda-11e6-8a70-7f05c0d1cebb    Error ApiDomainNameService::createDomainName { error:  { [BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)] message: 'Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)', code: 'BadRequestException', time: Mon Jul 18 2016 11:24:27 GMT+0000 (UTC), requestId: '2fadceac-4cda-11e6-b3b8-8d2831983c32', statusCode: 400, retryable: false, retryDelay: 30.29568309430033 }, params:  { certificateBody: '-----BEGIN CERTIFICATE-----\nMIIEuTCCA6GgAwIBAgIDBdeTMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy\nNTYgQ0EgLSBHMzAeFw0xNTA3MjExOTIyMDBaFw0xNzA3MjIyMTUzMTBaMIGWMRMw\nEQYDVQQLEwpHVDk0NzM3MDU4MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv\nbS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW\nYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEbMBkGA1UEAwwSKi5ib3VnaHRieW1hbnku\nY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0KaZSOt5K68kxlBV\ny1rGIDquSzthfhfchXIYd46mOkkwLUpQfY9DmCxrCgN4HxsA+1fRuXyfzk8yMt/M\nVTZxU3RPlsuZGJFKOcixg/UJGly4vIUFO3ZGOlAYt4PEMKX51mY8oIYNVt1lM7SZ\nNJOLzR4fiE7yGPIP01tdnINeambG3cGZ9MNl8EDhSOfYrb4tOkk6cfgvtukj1Ulg\n6/UZW9bhsLJtR3lHW7uSFptyA2elWiFm++QFEvykSXcrMCpdr3vnajYnJP6STSRi\nOW7NHI7gLy65sXUKq5/XFtAbt/MG9Wx6PbV2XalVq+D3Fzs7Mfia8jEmDgp7bNJh\n6zpxiQIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb8+II\ny1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3ltY2Qu\nY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAOBgNV\nHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMC8GA1Ud\nEQQoMCaCEiouYm91Z2h0YnltYW55LmNvbYIQYm91Z2h0YnltYW55LmNvbTArBgNV\nHR8EJDAiMCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMB\nAf8EAjAAMEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBz\nOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAqILS\nQtHPxPy+mNj6IxFR9jdzCm02accWttq6JfbIEu/7HajpYSpxkMKYm7WQqqy/xGhP\nWNS9qhfbGu7VIn+E5QNi1GQpKcBp/LsC2c5u9y+DmaHtAr605ffo1/PaRHVl5he/\n7R1Zwto8p5t51TMN4fDWIpPdia+wJi+2sbDId1JWROwE0b6yTPie6egWHXqc6VOg\n2CQxpM9C2hmWudVz2VI/xJ6K9Zj6lJmxqm8tHuL6qi9IuZr3IHRo0fY1Q81DrPhU\nOBLi6672ePN/sj7tP358IKO4a9Fxuqu3N7M258BnB9RCgvgN5RaFYV6VtcRskplO\nf45inEEGdgzuc4najw==\n-----END CERTIFICATE-----', certificateChain: '-----BEGIN CERTIFICATE-----\nMIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg\nU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv\nVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp\nSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS\n1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ\nDAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM\nQriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp\nYEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7\nqwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD\nVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig\nJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF\nBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF\nMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry\ndXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs\nrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp\nfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B\nkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH\nuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O\nZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh\ngP8L8mJMcCaY\n\n-----BEGIN\nCERTIFICATE-----\nMIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg\nR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9\n9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq\nfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv\niS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU\n1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+\nbw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW\nMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA\nephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l\nuMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn\nZ57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS\ntQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF\nPseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un\nhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV\n5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==\n-----END\nCERTIFICATE-----\n-----END CERTIFICATE-----', certificateName: 'dev-api2.boughtbymany.com', certificatePrivateKey: '***masked***', domainName: 'dev-api2.boughtbymany.com' } }

There seem to be some extra newlines in the second certificate in the certificate chain and/or the first certificate in the chain seems to have ended up inside the second one.

• The first '-----BEGIN CERTIFICATE-----has no newlines in it, but the second does-----BEGIN\nCERTIFICATE-----`
• The 2 end certificates are next to each other at the end -----END\nCERTIFICATE-----\n-----END CERTIFICATE-----

@carlnordenfelt Can you help?

[jakul]

I've localised the issue to util/certificate-parser. It only replaces the first instances of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, instead of all of them

[jakul]

Raised PR #50

[carlnordenfelt]

Thanks! See my comment on the PR. I hope you can wait until Thursday

On Mon, Jul 18, 2016, 16:47 Craig Blaszczyk notifications@github.com
wrote:

Raised PR #50
#50

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#49 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEzRobDAQCdzgUt2wgW_2-1RXTJRiuurks5qW5HggaJpZM4JOoGt
.

[carlnordenfelt]

2.0.1 has been released.