How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?
Last updated: 2022-09-23
I set up a custom domain name for my API Gateway API. I received an error that the AWS Certificate Manager (ACM) certificate is expired or "invalid certificate". How can I resolve this error?
The certificate has expired error occurs when the certificate used for creating the custom domain name is expired.
The "invalid certificate error" occurs because of a mismatched common name (CN) or subject name in the certificate.
Expired ACM certificates
If your certificate is expired, you might receive an error similar to the following:
"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]"
To check the certificate expiry, run the OpenSSL command s_client similar to the following:
openssl s_client -servername <custom domain name> -connect <custom domain name>:443 2>/dev/null | openssl x509 -noout -dates
To renew the certificate, see Managed renewal for ACM certificates.
To avoid expired certificates, see How to monitor expirations of imported certificates in ACM.
Mismatched ACM certificates
If your certificate has a mismached CN or subject name, you might receive an error similar to the following:
Confirm the following settings:
- The certificate used to create the custom domain name exists in ACM.
- The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
- Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.
Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).
custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com
You can check your configuration by running the dig command on your custom domain similar to the following:
$ dig custom.example.com
Did this article help?
Do you need billing or technical support?