3

I've successfully got the api-gw taking to NLB (via VPC Link) then on to ALB then onto my ECS cluster running my apis.

To enable SSL between api-gw and ALB using private certs I've used the insecureSkipVerification tlsconfig. The private certs were created by ACM-PCA in this test.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-extensions-integration-tls-config.html

However, what I want to do is import a private certificate, rather than use an AWS private CA created one. When I do create my own certificate and import it into ACM and attached it to the load balancer, I get an SSL error:

Execution failed due to....PKIX path building failed:...certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

This is the same error when you use a private cert without enabling: insecureSkipVerification.

Is using self managed private CA certs not an option at all with the api-gw?

Skynet5
  • 63
  • 7

1 Answers1

0

I had the same issue; in my case the issue was when I imported the custom certificate into ACM I didn't specify Certificate Chain. I was able to use the SSL certificate for the ALB but when integration to API Gateway I was getting the error. After I specified Certificate Chain I was able to use my custom SSL certificate (imported) with API Gateway without issues.

Specify a value for Certificate Chain: Specify a value for Certificate Chain

Moritz Ringler
  • 9,772
  • 9
  • 21
  • 34
Luis Ramirez
  • 1
  • 2