I'm trying to enable mutual TLS 1.2 for a custom domain linked to my regional API Gateway, using a non-exportable certificate from ACM. I followed the steps outlined in an AWS blog about mutual TLS authentication, but I'm running into issues. Here's what I did: I created a certification authority and generated Root.pem and Root.key files. Then, I created a new CSR file, used those root files to sign it, and generated step2.pem and step2.key. After uploading the PEM file to S3, I updated the custom domain settings to implement TLS 1.2, including the S3 link for the PEM file. However, when I try accessing the endpoint with the following command, I get a "Forbidden" message: curl -X GET "domain/stage/resource" -H "x-api-key: key" --key step2.key --cert step2.pem. The API works fine when I remove the TLS 1.2 configuration. Can anyone help me figure out what might be going wrong?
2 Answers
Is your API Gateway connected to a Lambda function or something else? That could affect how the mutual TLS behaves if it's expecting different authentication methods.
Have you checked your API Gateway policy? You might need to adjust it a bit, especially since mutual TLS can require specific permissions.
I have logging turned on, but it doesn't show anything for the failed requests. Plus, I'm not using an API Gateway policy, just relying on the API key for authentication.
Yes, it's hitting a Lambda function. Could that be part of the issue?