Why was the wrong certificate returned when invoking my API Gateway custom domain name?

Last updated: 2022-09-29

I tried to make an API request to my Amazon API Gateway custom domain name, but the wrong certificate was returned. How do I fix this?

Short description

There are two types of custom domain names that you can create for API Gateway APIs: Regional or (for REST APIs only) edge-optimized.

For Regional custom domain names, API Gateway creates a Regional domain name. You must set up a DNS record to map the custom domain name to the hostname similar to "d-example.execute-api.<region>.amazonaws.com".

For edge-optimized custom domain names, API Gateway creates an Amazon CloudFront distribution. You must set up a DNS record to map the custom domain name to the CloudFront distribution name similar to "distribution-id.cloudfront.net".

In the following scenario, the SSL certificate *.example.com or www.example.com was uploaded to the custom domain name www.example.com. An API request to www.example.com returns an error similar to the following:

From a browser:

"This server could not prove that it is www.example.com; its security certificate is from *.execute-api.us-east-1.amazonaws.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

From curl:

"curl: (60) SSL: no alternative certificate subject name matches target hostname 'www.example.com'. curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above."

Resolution

Make sure that the CNAME or A record of the custom domain name points to the API Gateway domain name and not to the API Gateway stage URL.

1.    Run the following openssl command to verify that the SSL certificate is returned by the custom domain:

openssl s_client -connect www.example.com:443 -servername www.example.com

Example output:

subject=/CN=*.execute-api.us-east-1.amazonaws.com

2.    Run the following dig command on the custom domain:

dig www.example.com

The dig command output has either a CNAME record pointing to the API Gateway stage URL, or an A record pointing to the IP address.

3.    Check the DNS record for the domain www.example.com with your domain registrar to determine where it's pointing to. If your domain is registered with Amazon Route 53, then see Checking DNS responses from Route 53.

4.    To confirm that the DNS records are mapped correctly, open the API Gateway console. In the navigation pane, choose Custom domain names, and then choose your custom domain.

5.    From Domain details, choose Configuration, and then check the API Gateway domain name. The custom domain name must be mapped to the API Gateway domain name. Regional custom domain names use a prefix similar to "d-example.execute-api.<region>.amazonaws.com". Edge-optimized custom domain names use a prefix similar to "distribution-id.cloudfront.net".

6.    If the CNAME record points to the API Gateway stage URL instead of the API Gateway domain name, update the CNAME record. Change the CNAME record to point to your API Gateway domain name instead of the stage URL. If your custom domain name is registered with a third party, then contact your domain registrar. If your custom domain name is registered with Route 53, then see Editing records.