1

I'm trying to set up an API Management Gateway using a custom domain. However, when I go to test it out, I get an SSL error. I am not sure if I've missed any steps or I've misconfigured my custom domain. The API returns a 200 response when I use the default Gateway URL but returns a 400 when I use my custom domain.

Any help in this domain is appreciated. Thanks

I've described the steps I've followed below:

Steps followed to create a custom domain:

  1. Setup a CNAME for my custom domain api.something.com in Route 53 with Value as .azure-api.net

  2. When creating a custom domain, I added my PFX certificate to the custom domain. When creating my certificate, I set CN="*.something.com. Additional settings such as Negotiate Client Certificate: false and Default SSL binding: true

  3. Created an API with the suffix app1 so that my API is reachable at api.something.com/app1

  4. Now, when I try to test it out through the portal, I get the error

HTTP/1.1 400 Bad Request
content-length: 123
content-type: application/json
vary: Origin
    {
    "error": "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
}

This is the request header. ALs I've turned off Require Subscription Key but I'm not sure why the subscription key is still included in the header

GET https://api.something.com/app1/api/heartbeat HTTP/1.1
Host: api.something.com
Ocp-Apim-Subscription-Key: xxxxxxxxx
Ocp-Apim-Trace: true
user782400
  • 1,617
  • 7
  • 30
  • 51
  • Try opening https://api.something.com in browser and see if it gives you any certificate errors, and if it does - investigate those. – Vitaliy Kurokhtin Sep 27 '21 at 17:39
  • yes, it gives me an INVALID_CERTIFICATE_ERROR – user782400 Sep 27 '21 at 20:11
  • That means that certificate APIM returns for request (the one you added) does not match your domain name. See certificate details, browsers should show what is exactly wrong with the certificate. One common thing, is to check if SAN is present in a certificate. – Vitaliy Kurokhtin Sep 28 '21 at 00:08
  • 1
    Could it also be because the certificate that was generated in Key Vault is self-signed instead of a being signed by a CA authority? – user782400 Sep 28 '21 at 00:52
  • 3
    Of course. Self signed certificates are, by definition, not signed by any trusted root CA and thus are not trusted by browsers. If it's only for your use - you can ignore browser error. If you open your address in a separate tab and confirm security exception it should make it work in Azure portal as well as browsers remember the excemption. If you plan for that address to be used by other people, you should get a real certificate from one of the DNS providers. – Vitaliy Kurokhtin Sep 28 '21 at 04:27

0 Answers0