This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can i use my custom domain for API Calls

Posted on 04-23-2018 03:21 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I did my research and found out that it can be done by creating an alias for the Virtual Host and that this operation can only be done through API calls.

First problem i found is that it cannot be done using the default port 80

curl -X POST -H "Content-Type:application/xml" https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/virtualhosts -d '<VirtualHost name="custom"><ClientCertForwarding>false</ClientCertForwarding><HostAliases><HostAlias>api.example.com</HostAlias></HostAliases><Interfaces/><ListenOptions/><Port>80</Port></VirtualHost>' -u orgAdminEmail:pWord

{

"code" : "messaging.config.beans.VirtualHostPortValidationError",
"message" : "Virtual host creation/update failed due to invalid port 80. Allowed port is 443. Contact support to allow custom port configuration",
"contexts" : [ ]
}

Then i tried using using port 443

curl -X POST -H "Content-Type:application/xml" https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/virtualhosts -d '<VirtualHost name="custom"><ClientCertForwarding>false</ClientCertForwarding><HostAliases><HostAlias>api.example.com</HostAlias></HostAliases><Interfaces/><ListenOptions/><Port>443</Port><SSLInfo><Enabled>true</Enabled><ClientAuthEnabled>false</ClientAuthEnabled><KeyStore>ref://newref</KeyStore><KeyAlias>new</KeyAlias><ClientAuthEnabled>false</ClientAuthEnabled></SSLInfo></VirtualHost>' -u orgAdminEmail:pWord

{
"code" : "messaging.config.beans.VirtualHostCACertValidationError",
"message" : "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted by java trust anchors or CAs",
"contexts" : [ ]
}

But the self signed certificates does not work.

I followed the instructions found here:

https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...

How can i safely buy a certificate if i cannot see the change working with the self signed certificate?

Solved Solved
2 3 1,413
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I have done this with certificates issued by a 3rd-party CA, specifically LetsEncrypt.

This is what we call "API white labeling."

It means mapping a DNS name like "api.mycompany.com" to "ORG-ENV.apigee.net" so that you can publish API endpoints that look like https://api.mycompany.com/foo/bar . Yes, only with TLS.

Until recently, it has been possible to white-label API endpoints only with the help of Apigee support. You'd have to open a ticket to ask for a secure vhost, and you'd have to securely transmit the cert and private key to support, wait for the ticket to be fulfilled... hours? days? But self-service vhosts have changed that. Now anyone can white label Apigee APIs, on any organization.

What's necessary? You need:

  • a domain that you control. Domains.google.com can help. Or godaddy etc.
  • a webserver that you control. An nginx box, or apache, etc.
  • the certbot tool, that connects with letsencrypt
  • any Apigee Edge org

Steps:

  1. using your DNS provider, map your domain name, like api.dinochiesa.net, to the webserver, with a DNS A record or CNAME pointing to the web server hostname.
  2. use the certbot tool to obtain a cert from letsencrypt; manual or auto, doesn't matter. I won't describe in detail how this works. Use certbot documentation. But be aware: You need direct access to the webserver to do this.
  3. (probably via the API) create a keystore in Edge, name it anything you like, and upload the generated cert and key to it.
  4. via the API, create a vhost in Edge, using api.dinochiesa.net as the hostalias, and using the keystore created above for TLS. Name it "whitelabel-vhost" or something similar. (If you do it properly, you should use a keystore reference)
  5. again using the DNS provider, remap the domain (api.dinochiesa.net) to your edge org+env, with a DNS CNAME pointing to ORG-ENV.apigee.net . You may have to wait 5 minutes for the DNS change to propagate through the DNS network.
  6. modify your API proxy endpoints to listen ONLY on "whitelabel-vhost".
  7. Invoke the API endpoints!

For the record, we're looking into making this MUCH easier.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I have done this with certificates issued by a 3rd-party CA, specifically LetsEncrypt.

This is what we call "API white labeling."

It means mapping a DNS name like "api.mycompany.com" to "ORG-ENV.apigee.net" so that you can publish API endpoints that look like https://api.mycompany.com/foo/bar . Yes, only with TLS.

Until recently, it has been possible to white-label API endpoints only with the help of Apigee support. You'd have to open a ticket to ask for a secure vhost, and you'd have to securely transmit the cert and private key to support, wait for the ticket to be fulfilled... hours? days? But self-service vhosts have changed that. Now anyone can white label Apigee APIs, on any organization.

What's necessary? You need:

  • a domain that you control. Domains.google.com can help. Or godaddy etc.
  • a webserver that you control. An nginx box, or apache, etc.
  • the certbot tool, that connects with letsencrypt
  • any Apigee Edge org

Steps:

  1. using your DNS provider, map your domain name, like api.dinochiesa.net, to the webserver, with a DNS A record or CNAME pointing to the web server hostname.
  2. use the certbot tool to obtain a cert from letsencrypt; manual or auto, doesn't matter. I won't describe in detail how this works. Use certbot documentation. But be aware: You need direct access to the webserver to do this.
  3. (probably via the API) create a keystore in Edge, name it anything you like, and upload the generated cert and key to it.
  4. via the API, create a vhost in Edge, using api.dinochiesa.net as the hostalias, and using the keystore created above for TLS. Name it "whitelabel-vhost" or something similar. (If you do it properly, you should use a keystore reference)
  5. again using the DNS provider, remap the domain (api.dinochiesa.net) to your edge org+env, with a DNS CNAME pointing to ORG-ENV.apigee.net . You may have to wait 5 minutes for the DNS change to propagate through the DNS network.
  6. modify your API proxy endpoints to listen ONLY on "whitelabel-vhost".
  7. Invoke the API endpoints!

For the record, we're looking into making this MUCH easier.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
hmacgregor
New Member
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Hey all. Any updates on Apigee support for LetsEncrypt, specifically auto-updating of the certificate? It would seem that we would need to do the "separate linux box we control" steps above every time we need to update the certificate, which would not work for a production system.

Jump to Solution

Posted on --/--/---- --:-- AM
glennbostoen
New Member
In response to hmacgregor
Reply posted on --/--/---- --:-- AM

I'm also looking forward to an automated solution. It's kinda sad that there isn't really an out of the box solution for this without resorting to like AWS Cloudfront for example.

Jump to Solution
0 Likes