TLS cert issue for Apollo Uplink AWS endpoint

Help
,
1

Hi Team,

We got below errors while using NodeJS “apollo/gateway”, it polls schema configs and data from aws.uplink.api.apollographql.com.

Hostname/IP does not match certificate's altnames: Host: aws.uplink.api.apollographql.com. is not in the cert's altnames: DNS:*.execute-api.us-east-1.amazonaws.com, DNS:*.execute-api.us-east-1.vpce.amazonaws.com

We checked the DNS for “aws.uplink.api.apollographql.com”, it looks it uses CNAME to an AWS API gateway endpoint. It might cause the nodejs http client cannot verify the certificate with target server hostname. If change the DNS record as “A” for this gateway domain, would it help ?
Could you please help to check this? Any advice for fixing this in while using NodeJS module “apollo/gateway”?

➜  ~ dig aws.uplink.api.apollographql.com

; <<>> DiG 9.10.6 <<>> aws.uplink.api.apollographql.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46104
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;aws.uplink.api.apollographql.com. IN	A

;; ANSWER SECTION:
aws.uplink.api.apollographql.com. 30 IN	CNAME	d-duscsm3mkl.execute-api.us-east-1.amazonaws.com.
d-duscsm3mkl.execute-api.us-east-1.amazonaws.com. 60 IN	A 3.86.1.171
d-duscsm3mkl.execute-api.us-east-1.amazonaws.com. 60 IN	A 23.21.79.56

;; Query time: 68 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Nov 10 13:25:46 CET 2022
;; MSG SIZE  rcvd: 152

Thanks a lot!

Regards,
Jennie LI

2

We are experiencing this issue too. It seems to happen when a client first initializes but subsequent requests succeeded.

Error: Hostname/IP does not match certificate's altnames: Host: aws.uplink.api.apollographql.com. is not in the cert's altnames: DNS:*.execute-api.us-east-1.amazonaws.com, DNS:*.execute-api.us-east-1.vpce.amazonaws.com


Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: aws.uplink.api.apollographql.com. is not in the cert's altnames: DNS:*.execute-api.us-east-1.amazonaws.com, DNS:*.execute-api.us-east-1.vpce.amazonaws.com

at new NodeError (node:internal/errors:372:5)

* View in Repo

at Object.checkServerIdentity (node:tls:346:12)

at TLSSocket.onConnectSecure (node:_tls_wrap:1542:27)

at TLSSocket.emit (node:events:527:28)

at TLSSocket.emit (/app/node_modules/dd-trace/packages/datadog-instrumentations/src/net.js:61:25)

at TLSSocket._finishInit (node:_tls_wrap:946:8)

at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:727:12)

at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)