Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Chain error when creating custom domain name #49

Closed
jakul opened this Issue Jul 18, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@jakul
Copy link
Contributor

jakul commented Jul 18, 2016

Hi,

I'm trying to make a Custom Domain Name, using a certificate I just uploaded to IAM, but CloudFormation gives an error when trying to create it.

Failed to create resource. BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4). See the details in CloudWatch Log Stream: 2016/07/18/[$LATEST]b115a9ff77954bba9d8b3f64cc6af1f6

I think there is some problem with the decoding/ re-encoding of the certificate chain, because it comes out looking deformed in the log messages from the lambda:

2016-07-18T11:24:27.301Z    2f501ec2-4cda-11e6-8a70-7f05c0d1cebb    Error ApiDomainNameService::createDomainName { error:  { [BadRequestException: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)] message: 'Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: 2feb2631-4cda-11e6-b7d4-4141c6ad91c4)', code: 'BadRequestException', time: Mon Jul 18 2016 11:24:27 GMT+0000 (UTC), requestId: '2fadceac-4cda-11e6-b3b8-8d2831983c32', statusCode: 400, retryable: false, retryDelay: 30.29568309430033 }, params:  { certificateBody: '-----BEGIN CERTIFICATE-----\nMIIEuTCCA6GgAwIBAgIDBdeTMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy\nNTYgQ0EgLSBHMzAeFw0xNTA3MjExOTIyMDBaFw0xNzA3MjIyMTUzMTBaMIGWMRMw\nEQYDVQQLEwpHVDk0NzM3MDU4MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv\nbS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW\nYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEbMBkGA1UEAwwSKi5ib3VnaHRieW1hbnku\nY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0KaZSOt5K68kxlBV\ny1rGIDquSzthfhfchXIYd46mOkkwLUpQfY9DmCxrCgN4HxsA+1fRuXyfzk8yMt/M\nVTZxU3RPlsuZGJFKOcixg/UJGly4vIUFO3ZGOlAYt4PEMKX51mY8oIYNVt1lM7SZ\nNJOLzR4fiE7yGPIP01tdnINeambG3cGZ9MNl8EDhSOfYrb4tOkk6cfgvtukj1Ulg\n6/UZW9bhsLJtR3lHW7uSFptyA2elWiFm++QFEvykSXcrMCpdr3vnajYnJP6STSRi\nOW7NHI7gLy65sXUKq5/XFtAbt/MG9Wx6PbV2XalVq+D3Fzs7Mfia8jEmDgp7bNJh\n6zpxiQIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb8+II\ny1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3ltY2Qu\nY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAOBgNV\nHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMC8GA1Ud\nEQQoMCaCEiouYm91Z2h0YnltYW55LmNvbYIQYm91Z2h0YnltYW55LmNvbTArBgNV\nHR8EJDAiMCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMB\nAf8EAjAAMEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBz\nOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAqILS\nQtHPxPy+mNj6IxFR9jdzCm02accWttq6JfbIEu/7HajpYSpxkMKYm7WQqqy/xGhP\nWNS9qhfbGu7VIn+E5QNi1GQpKcBp/LsC2c5u9y+DmaHtAr605ffo1/PaRHVl5he/\n7R1Zwto8p5t51TMN4fDWIpPdia+wJi+2sbDId1JWROwE0b6yTPie6egWHXqc6VOg\n2CQxpM9C2hmWudVz2VI/xJ6K9Zj6lJmxqm8tHuL6qi9IuZr3IHRo0fY1Q81DrPhU\nOBLi6672ePN/sj7tP358IKO4a9Fxuqu3N7M258BnB9RCgvgN5RaFYV6VtcRskplO\nf45inEEGdgzuc4najw==\n-----END CERTIFICATE-----', certificateChain: '-----BEGIN CERTIFICATE-----\nMIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg\nU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv\nVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp\nSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS\n1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ\nDAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM\nQriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp\nYEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7\nqwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD\nVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig\nJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF\nBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF\nMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry\ndXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs\nrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp\nfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B\nkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH\nuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O\nZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh\ngP8L8mJMcCaY\n\n-----BEGIN\nCERTIFICATE-----\nMIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg\nR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9\n9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq\nfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv\niS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU\n1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+\nbw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW\nMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA\nephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l\nuMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn\nZ57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS\ntQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF\nPseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un\nhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV\n5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==\n-----END\nCERTIFICATE-----\n-----END CERTIFICATE-----', certificateName: 'dev-api2.boughtbymany.com', certificatePrivateKey: '***masked***', domainName: 'dev-api2.boughtbymany.com' } }

There seem to be some extra newlines in the second certificate in the certificate chain and/or the first certificate in the chain seems to have ended up inside the second one.

  • The first '-----BEGIN CERTIFICATE-----has no newlines in it, but the second does-----BEGIN\nCERTIFICATE-----`
  • The 2 end certificates are next to each other at the end -----END\nCERTIFICATE-----\n-----END CERTIFICATE-----

@carlnordenfelt Can you help?

@jakul

This comment has been minimized.

Copy link
Contributor Author

jakul commented Jul 18, 2016

I've localised the issue to util/certificate-parser. It only replaces the first instances of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, instead of all of them

@jakul

This comment has been minimized.

Copy link
Contributor Author

jakul commented Jul 18, 2016

Raised PR #50

@carlnordenfelt

This comment has been minimized.

Copy link
Owner

carlnordenfelt commented Jul 18, 2016

Thanks! See my comment on the PR. I hope you can wait until Thursday

On Mon, Jul 18, 2016, 16:47 Craig Blaszczyk notifications@github.com
wrote:

Raised PR #50
#50


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#49 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEzRobDAQCdzgUt2wgW_2-1RXTJRiuurks5qW5HggaJpZM4JOoGt
.

@carlnordenfelt

This comment has been minimized.

Copy link
Owner

carlnordenfelt commented Jul 21, 2016

2.0.1 has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.