I am hosting my static app in S3/Cloudfront: myapp.com. I have a Regional REST API that I have been invoking using the default URL: https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com. Now I am trying to add a custom domain name for my REST API so I can disable TLS earlier than v1.2. I should note that I inherited support for this site: it was originally set up 4 years ago by a developer no longer with the company.
Following the instructions for adding the custom domain name, I got a certificate for 'api.myapp.com ' in us-east-1, and added the custom domain name, 'api.myapp.com' using the certificate. Next in Route 53, I selected the existing hosted zone, myapp.com, which had 3 records: A, NS, and SOA (all for record name 'myapp.com') and created a 4th record, type A, name: api.myapp.com with the API Gateway domain name from the custom domain name in API Gateway: d-yyyyyyyyyy.execute-api.us-east-1.amazonaws.com, Alias: Yes, Routing policy: Simple.
Finally, back in API Gateway I set up API mappings for api.myapp.com, selecting my API, Stage DEV, path DEV and deployed stage DEV. I was getting a 404 error when trying to call https://api.myapp.com. After much digging, I realized that the Cloudfront distribution for the static site was configured for the Alternate Domain names 'myapp.com' and '.myapp.com'. I changed that to be 'my app.com' and 'www.myapp.com' and the 404 when I access https://api.myapp.com changed to ERR_SSL_OR_VERSION_CIPHER_MISMATCH. I reviewed the certificates again, and now saw the the original cert attached to the CloudFront distribution is for 'myapp.com' and '.myapp.com'. I tried to switch the API Gateway custom domain to that cert, and also tried deleting and re-creating the custom domain, but I am still getting the same SSL error. Is it valid to use the wild card certificate for the API Gateway custom domain? Does having two certificates that cover api.myapp.com cause a problem? I haven't tried deleting the new certificate yet.
AWS OFFICIALUpdated a year ago
Yes, it has '*.myapp.com'