Apigee Proxy with Amazon Gateway API: 503 Service Unavailable

Not applicable
Greetings! I am trying to call an SSL endpoint I setup via Amazon's Gateway API. No matter what I try, I get the following error in Apigee with trace: error The Service is temporarily unavailable error.cause Received fatal alert: handshake_failure error.class com.apigee.messaging.adaptors.http.HttpAdaptorException Identifier fault state TARGET_REQ_FLOW type ErrorPoint
Solved Solved
0 17 2,512
1 ACCEPTED SOLUTION

Hi Patrick, Unfortunately, its the SNI issue, and I learnt that, we cannot enable SNI for the Edge Free. This can be enabled only for Edge SMB and Edge I have also created a article here on this topic - https://community.apigee.com/articles/9508/sni-for... Thanks, Mukundha

View solution in original post

17 REPLIES 17

its a ssl handshake failure,

Have you configured 2-way SSL at amazon? in that case, you need to configure Targetendpoint to use 2-way SSL.

If not, maybe the amazon certs are not trusted at Apigee. You need import those certs to Apigee's truststore.

More info here,

http://apigee.com/docs/api-services/content/keystores-and-truststores

http://apigee.com/docs/api-services/content/configuring-ssl-edge-backend-service

Thanks,

Not applicable

From what I'm discovering, it appears that the Gateway API requires TLSv1.2 (maybe 1.1) and SNI.

Here's a relevant conversation: https://forums.aws.amazon.com/thread.jspa?threadID...

According to these release notes, Apigee cloud supports SNI: http://apigee.com/docs/release-notes/content/15041...

Do I need to request for it to be enabled for my org? Will this impact other backend services that do not require SNI?

Hi Patrick, I think SNI is enabled by default, Can you share your SSLInfo element in your TargetEndpoint configuration? Thanks,

Not applicable

I have attempted to create a TrustStore and add an SSLInfo element, but I've had no luck. Here it is just so we can move on:

<SSLInfo>
  <Enabled>true</Enabled>
  <ClientAuthEnabled>true</ClientAuthEnabled>
  <KeyStore>freetrial</KeyStore>
  <KeyAlias>freetrial</KeyAlias>
  <TrustStore>apistation_co</TrustStore>
</SSLInfo>

I have a hard time believing that this is the issue (or the accepted fix). The Gateway API provides default endpoints if one chooses not to add custom domains (ex.; https://xxxxxxxxx.execute-api.us-west-2.amazonaws.com/). Since I'm using Apigee, I would prefer to use the defaults. I have to assume that AWS is not making it difficult to hit their Gateway endpoints.

Would it be possible to skip the back-and-forth with me (as I'm fairly slow) and you guys attempt to connect to a Gateway API endpoint? I can even provide one.

yes, that will be very helpful to troubleshoot If possible, can you try removing this element from SSLInfo
 <TrustStore>apistation_co</TrustStore>
and try once? It could also be the full cert chain is not available in Truststore. This will help eliminate that possibility Pls share the details, i am hoping you have already configured 'freetrail' at Amazon for the 2-way ssl Thanks,

Not applicable
Tried and no luck. I have not been bold enough to mess with the freetrial keystore. I know too little about how it works to muck with it. I'd prefer not to post my Gateway endpoint in the forum. Can you provide an email so I can send it to you?

mukundha at apigee dot com

@Mukundha Madhavan I like how you took advantage of private comments capability. Smart not to share it publicly 🙂

Never know this feature exists, Thank you @Mukundha Madhavan & @Birute Awasthi for highlighting this.

Hi Patrick, Unfortunately, its the SNI issue, and I learnt that, we cannot enable SNI for the Edge Free. This can be enabled only for Edge SMB and Edge I have also created a article here on this topic - https://community.apigee.com/articles/9508/sni-for... Thanks, Mukundha

Thanks for researching this. I'm happy to have a path forward.

I am having a similar issue. Uploaded the whole chain of certs to the truststore. No Success.

Do i need to reach out the Apigee support to enable SNI for my Edge subscription?

Yes @Mudit.P, reachout to support - Fyi, SNI is not supported for the free accounts, its only available for SMB and Enterprise accounts

Thanks @Mukundha Madhavan is it not enabled by default for enterprise accounts ?

yes @Mudit.P, its not enabled by default, pls contact support

@Mukundha Madhavan SNI is not available for SMB customer and Apigee Developer customers. Its available only for Enterprise customers.

mpurwar
Participant IV

@Patrick Martin

Enforce the TLS1.2 in the protocol element in the SSLInfo.

As AWS does not accept any lower protocols. I had a similar issue and got it resolved today.

Example:

<HTTPTargetConnection>

<SSLInfo>

<Enabled>true</Enabled>

<Protocols>

<Protocol>TLSv1.2</Protocol>

</Protocols>

<TrustStore>truststore</TrustStore>

</SSLInfo>

<URL>https://dev1.social.com/svc/social/2.0/rest</URL>

</HTTPTargetConnection>