How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

2 minute read
0

I set up a custom domain name for my API Gateway API. I received an error that the AWS Certificate Manager (ACM) certificate is expired or "invalid certificate". How can I resolve this error?

Short description

The certificate has expired error occurs when the certificate used for creating the custom domain name is expired.

The "invalid certificate error" occurs because of a mismatched common name (CN) or subject name in the certificate.

Resolution

Expired ACM certificates

If your certificate is expired, you might receive an error similar to the following:

"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]"
To check the certificate expiry, run the OpenSSL command s_client similar to the following:

openssl s_client -servername <custom domain name> -connect <custom domain name>:443 2>/dev/null | openssl x509 -noout -dates

To renew the certificate, see Managed renewal for ACM certificates.

To avoid expired certificates, see How to monitor expirations of imported certificates in ACM.

Mismatched ACM certificates

If your certificate has a mismached CN or subject name, you might receive an error similar to the following:

"ERR_CERT_COMMON_NAME_INVALID"

Confirm the following settings:

  • The certificate used to create the custom domain name exists in ACM.
  • The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
  • Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.

Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).

Example configuration:

custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com

You can check your configuration by running the dig command on your custom domain similar to the following:

$ dig custom.example.com

Related information

How can I resolve DNS resolution or certificate mismatch errors for my API Gateway custom domain name?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago