bug: x509 certificate is not valid for all domains

[conamu]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have a stack that accesses Timestream. On out staging AWS account this works flawlessly. We are using AWS CDK Local to deploy.

This error greets us when the Lambda want to access timestream api to write records into it:

{"errorMessage":"error occured when storing to DB: Storing Datapoints failed: timestream query failed: RequestError: send request failed\ncaused by: Post \"https://ingest.timestream.eu-west-1.amazonaws.com/\": x509: certificate is valid for *.amplifyapp.localhost.localstack.cloud, *.cloudfront.localhost.localstack.cloud, *.execute-api.localhost.localstack.cloud, *.localhost.localstack.cloud, *.opensearch.localhost.localstack.cloud, *.s3-website.localhost.localstack.cloud, *.s3.localhost.localstack.cloud, *.scm.localhost.localstack.cloud, localhost.localstack.cloud, not ingest.timestream.eu-west-1.amazonaws.com","errorType":"errorString"}

Lambdas are written in go with the aws sdks, on the AL_2_Provided runtime.

Expected Behavior

Timestream should be accessible without a certificate error from Lambda.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker-compose -f localstack.compose up

dockerfile:

version: "3.8"

services:
  localstack:
    container_name: "localstack"
    image: localstack/localstack-pro
    ports:
      - "4566:4566"            # LocalStack Gateway
      - "4510-4559:4510-4559"  # ext services port range
      - "53:53"                # DNS config
      - "53:53/udp"            # DNS config
      - "443:443"              # LocalStack HTTPS Gateway
    environment:
      - DEBUG=0
      - LAMBDA_EXECUTOR=docker
      - DOCKER_HOST=unix:///var/run/docker.sock
      - LOCALSTACK_API_KEY=[REDACTED]
      - LS_LOG=trace-internal
      - EDGE_BIND_HOST=0.0.0.0
    volumes:
      - "~/.localstack-data:/var/lib/localstack"
      - "/var/run/docker.sock:/var/run/docker.sock"

Environment

- OS: Mac OS
- LocalStack: latest

Anything else?

No response

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

[whummer]

Hi @conamu , thanks for reporting. Can you please share some details on how the Timestream client is constructed in your Lambda handler? Please note in certain cases it may be required to set the endpoint_url of your AWS SDK client to point to the LocalStack APIs. Happy to provide more guidance if you can share some details on your setup (specifically the Lambda handler code). Thanks!

[conamu]

Hey, thanks for your reply. Looking at the error message it surely makes sense that this amazon url is not meeant to be used within localstack. I cant share all of the handler code but I essentially use this to communicate with localstack:

db := timestreamwrite.New(session.Must(session.NewSession()))

db.WriteRecords(query)

I don't use any additional configuration to create a time stream client. I'm using the golang sdk

[conamu]

Sorry, accidentally clicked close button ;0

[conamu]

So I tried doing what you suggested and I got an error that it got connection refused at http://localhost:4566.
Is there a specific url I need to set? I guess the gateway is not enough

[adase11]

@whummer - apologies if I'm interjecting noise here but I've been following some similar reported issues and I thought this question may be relevant to the discussion on this ticket.
I'd be curious to know if there is a reason that the the Subject Alternative Name extensions of the SSL certificate can't include a reference to *.localhost. Here's what I see in the current cert SAN section:

*.amplifyapp.localhost.localstack.cloud
*.cloudfront.localhost.localstack.cloud
*.execute-api.localhost.localstack.cloud
*.localhost.localstack.cloud
*.opensearch.localhost.localstack.cloud
*.s3-website.localhost.localstack.cloud
*.s3.localhost.localstack.cloud
*.scm.localhost.localstack.cloud
localhost.localstack.cloud

In addition to the localhost.localstack.cloud common name. It seems to me that this issue and a few others that have been reported are related to SSL handshakes and the localstack certificate not covering localhost. #6874 and #7417 both seem related (or at least tangental) to this.

[whummer]

Hi @adase11, thanks for chiming in, that's a good question. The problem is that it is not possible to obtain a trusted SSL certificate for *.localhost hostnames.

Please note that our current certificate for *.localhost.localstack.cloud hostnames (issued by "Let's Encrypt") is a trusted by most browsers/operating systems out of the box. The same would not be possible for localhost itself, unfortunately.

[adase11]

Got it, so if localstack was to issue one that includes *.localhost then users would have to manually add the certificate to the list of trusted certs (because it would have to be a self-signed certificate). Makes sense. Thanks for clarifying @whummer - much appreciated!

[conamu]

So I found the endpoint by myself. It's https://timestream.localhost.localstack.cloud