How can I troubleshoot the API Gateway error “Execution failed due to configuration error: General SSLEngine problem”?

Last updated: 2022-12-01

Amazon API Gateway returned an error for my API request similar to the following:

"Execution failed due to configuration error: General SSLEngine problem"

Resolution

API Gateway API requests perform an SSL handshake on the backend. Successful API Gateway SSL handshakes must include the following requirements:

A supported CA

The CA must be supported by API Gateway for HTTP, HTTP proxy, and private integrations. To check the CA fingerprint, run the following OpenSSL command for your operating system:

Linux

openssl x509 -in cert.pem -fingerprint -sha256 -noout

openssl x509 -in cert.pem -fingerprint -sha1 -noout

Windows

openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

A valid ACM certificate that isn't expired

To check the expiration date of the certificate, run the following OpenSSL command:

openssl x509 -in certificate.crt -text -noout

In the output, check for the validity timestamp:

Validity
            Not Before: Apr 29 12:49:02 2020 GMT
            Not After : Apr 29 12:49:02 2021 GMT

In this example output, the certificate is valid on April 29, 2020 and expires after April 29, 2021.

A valid CA certificate

Check the CA certificate configuration by running the following OpenSSL command:

openssl s_client -connect example.com:443 -showcerts

Validate that:

  • The subject of the intermediate and certificate matches the issuer of the entity certificate.
  • The subject of the root certificate matches the issuers of the intermediate certificate.
  • The subject and issuer are the same in the root certificate.

A certificate that doesn't exceed 2048 bits

Check the size of the certificate by running the following OpenSSL command:

openssl x509 -in badssl-com.pem -text -noout | grep -E '(Public-Key):'

Note: The certificate size can't exceed 2048 bits.

If your certificate doesn't meet any of these requirements, first update your private CA. Then, reissue a new certificate using AWS Certificate Manager (ACM).


Did this article help?


Do you need billing or technical support?