Greetings! I am trying to call an SSL endpoint I setup via Amazon’s Gateway API. No matter what I try, I get the following error in Apigee with trace: error The Service is temporarily unavailable error.cause Received fatal alert: handshake_failure error.class com.apigee.messaging.adaptors.http.HttpAdaptorException Identifier fault state TARGET_REQ_FLOW type ErrorPoint
its a ssl handshake failure,
Have you configured 2-way SSL at amazon? in that case, you need to configure Targetendpoint to use 2-way SSL.
If not, maybe the amazon certs are not trusted at Apigee. You need import those certs to Apigee’s truststore.
More info here,
http://apigee.com/docs/api-services/content/keystores-and-truststores
http://apigee.com/docs/api-services/content/configuring-ssl-edge-backend-service
Thanks,
1 Like
From what I’m discovering, it appears that the Gateway API requires TLSv1.2 (maybe 1.1) and SNI.
Here’s a relevant conversation: https://forums.aws.amazon.com/thread.jspa?threadID…
According to these release notes, Apigee cloud supports SNI: http://apigee.com/docs/release-notes/content/15041…
Do I need to request for it to be enabled for my org? Will this impact other backend services that do not require SNI?
Hi Patrick, I think SNI is enabled by default, Can you share your SSLInfo element in your TargetEndpoint configuration? Thanks,
I have attempted to create a TrustStore and add an SSLInfo element, but I’ve had no luck. Here it is just so we can move on:
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>freetrial</KeyStore>
<KeyAlias>freetrial</KeyAlias>
<TrustStore>apistation_co</TrustStore>
</SSLInfo>
I have a hard time believing that this is the issue (or the accepted fix). The Gateway API provides default endpoints if one chooses not to add custom domains (ex.; https://xxxxxxxxx.execute-api.us-west-2.amazonaws.com/)). Since I’m using Apigee, I would prefer to use the defaults. I have to assume that AWS is not making it difficult to hit their Gateway endpoints.
Would it be possible to skip the back-and-forth with me (as I’m fairly slow) and you guys attempt to connect to a Gateway API endpoint? I can even provide one.
yes, that will be very helpful to troubleshoot If possible, can you try removing this element from SSLInfo
<TrustStore>apistation_co</TrustStore>
and try once? It could also be the full cert chain is not available in Truststore. This will help eliminate that possibility Pls share the details, i am hoping you have already configured ‘freetrail’ at Amazon for the 2-way ssl Thanks,
Tried and no luck. I have not been bold enough to mess with the freetrial keystore. I know too little about how it works to muck with it. I’d prefer not to post my Gateway endpoint in the forum. Can you provide an email so I can send it to you?
mukundha at apigee dot com
@Mukundha Madhavan I like how you took advantage of private comments capability. Smart not to share it publicly 
Never know this feature exists, Thank you @Mukundha Madhavan & @Birute Awasthi for highlighting this.
Hi Patrick, Unfortunately, its the SNI issue, and I learnt that, we cannot enable SNI for the Edge Free. This can be enabled only for Edge SMB and Edge I have also created a article here on this topic - https://community.apigee.com/articles/9508/sni-for… Thanks, Mukundha
1 Like
Thanks for researching this. I’m happy to have a path forward.
1 Like
I am having a similar issue. Uploaded the whole chain of certs to the truststore. No Success.
Do i need to reach out the Apigee support to enable SNI for my Edge subscription?
Yes @Mudit.P, reachout to support - Fyi, SNI is not supported for the free accounts, its only available for SMB and Enterprise accounts
Thanks @Mukundha Madhavan is it not enabled by default for enterprise accounts ?
yes @Mudit.P, its not enabled by default, pls contact support
Enforce the TLS1.2 in the protocol element in the SSLInfo.
As AWS does not accept any lower protocols. I had a similar issue and got it resolved today.
Example:
true
TLSv1.2
truststore
@Mukundha Madhavan SNI is not available for SMB customer and Apigee Developer customers. Its available only for Enterprise customers.