How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

2 minute read

I set up a custom domain name for my API Gateway API. I received an error that the AWS Certificate Manager (ACM) certificate is expired or "invalid certificate". How can I resolve this error?

Short description

The certificate has expired error occurs when the certificate used for creating the custom domain name is expired.

The "invalid certificate error" occurs because of a mismatched common name (CN) or subject name in the certificate.

Resolution

Expired ACM certificates

If your certificate is expired, you might receive an error similar to the following:

"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]"
To check the certificate expiry, run the OpenSSL command s_client similar to the following:

openssl s_client -servername <custom domain name> -connect <custom domain name>:443 2>/dev/null | openssl x509 -noout -dates

To renew the certificate, see Managed renewal for ACM certificates.

To avoid expired certificates, see How to monitor expirations of imported certificates in ACM.

Mismatched ACM certificates

If your certificate has a mismached CN or subject name, you might receive an error similar to the following:

"ERR_CERT_COMMON_NAME_INVALID"

Confirm the following settings:

The certificate used to create the custom domain name exists in ACM.
The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.

Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).

Example configuration:

custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com

You can check your configuration by running the dig command on your custom domain similar to the following:

$ dig custom.example.com

Related information

How can I resolve DNS resolution or certificate mismatch errors for my API Gateway custom domain name?

Topics

Serverless Front-End Web & Mobile Networking & Content Delivery

Relevant content

Code 422: "certificate has expired"
rePost-User-4000894
asked a year ago
Can I use wildcard certificate for API gateway? Do certificates clash?
jalynn2
asked 10 months ago
Can't Delete Certificate after removing all Custom Domain Name in API Gateway
rePost-User-4915541
asked a year ago
Certificate Manager not listing expiring certificates
Accepted Answer
AWS-User-5246659
asked 2 years ago
certificate has expired in SMS Gateway Configuration
rePost-User-0529883
asked a year ago
How can I set up a custom domain name for my API Gateway API?
AWS OFFICIALUpdated 2 years ago
How can I resolve DNS resolution or SSL certificate mismatch errors for my API Gateway custom domain name?
AWS OFFICIALUpdated 2 years ago
Why was the wrong certificate returned when invoking my API Gateway custom domain name?
AWS OFFICIALUpdated a year ago
How can I troubleshoot certificate chain and self-signed certificate issues for Amazon API Gateway with custom domains and mutual TLS enabled?
AWS OFFICIALUpdated a year ago
How to change your name for an AWS certification exam
EXPERT
kentrad
published 3 months ago