If your certificate has a mismached CN or subject name, you might receive an error similar to the following:
Confirm the following settings:
The certificate used to create the custom domain name exists in ACM.
The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.
Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).
custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com
You can check your configuration by running the dig command on your custom domain similar to the following: