Search code examples
httpsinstagram-apiaws-api-gateway

Instagram Subscription Callback using AWS API Gateway - Invalid SSL certificate

We're trying to set up an instagram app and have worked our way through the process. We've now got stuck when trying to create a subscription.

We have our app hosted on AWS API Gateway, which can only be deployed with HTTPS endpoints (it does not support unencrypted connections). When we do the POST to get instagram to subscribe to a user using the following:

curl -F 'client_id=CLIENT-ID' \
     -F 'client_secret=CLIENT-SECRET' \
     -F 'object=user' \
     -F 'aspect=media' \
     -F 'verify_token=myVerifyToken' \
     -F 'callback_url=https://YOUR-CALLBACK/URL' \
     https://api.instagram.com/v1/subscriptions/

then we get the following error:

{
    "meta": {
        "error_type": "APISubscriptionError",
        "code": 400,
        "error_message": "Invalid response"
    }
}

This happens whether we use our own HTTPS certificate that we have registered with API Gateway, or whether we use the stock AWS URL (https://xxxx.execute-api.us-east-1.amazonaws.com) as the callback (which also has a valid HTTPS certificate). I have verified that the certificates are 'good' using SSLLabs (they both get an A result). Our code NEVER gets called (so it's not the return of the hub.challenge parameter that's the problem. Instagram seems to reject the HTTPS certificate when initiating the connection.

Interestingly, if we use the same certificate that we use with AWS API Gateway on a normal machine (EC2 instance) and change the DNS records to point to this server, then it all works as expected and the subscription works.

Has anyone got Instagram Subscriptions working when using AWS API Gateway?

Solution

  • We contacted Instagram about this. The version of Python (or their libraries) that Instagram uses does not support SNI which API Gateway uses (http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html) so Instagram apps will not work if hosted on API Gateway unfortunately until Instagram upgrades their version of Python.

    As Garrett points out below, whilst Instagram cannot post directly to API Gateway, you can put a cloudfront distribution in front of your API Gateway endpoints and let Instagram point to that. This will work.