AWS Regional REST API Gateway with custom domain name and mTLS responds with "Empty reply from server"

Question

I have an API Gateway Regional REST API with a lambda proxy integration and a custom domain name, and i need to add mutual TLS.

The API is working fine without mTLS.

I have followed this guide to enable mTLS and test it with self-signed certificates : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

But when i make a request with curl just like in the guide : curl --key my_client.key --cert my_client.pem https://api.yourdomain.com, i get curl: (92) HTTP/2 stream 0 was not closed cleanly: CANCEL (err 8) .

--http1.1 doesnt help either, it just says curl: (52) Empty reply from server instead. The empty response doesnt contain any headers or body, its just 0 bytes.

If i omit the client key and cert, i receive curl: (35) OpenSSL SSL_connect: Connection was reset in connection to api.yourdomain.com:443. which i beleive indicates that mTLS is enabled.

All troubleshoot examples tries to solve 403 response errors.

I have no clue of what could possibly be wrong and I would really appreciate all help that can point me into where i can look to try to solve the issue.

Answer 1

I resolved the issue by generating new CA and certificates and uploading them again in a versioned S3 Bucket.

I dont know exactly why i got this error but i beleive the application went into some invalid/erroneous state after I many times tried setting different configurations on the API Gateway, S3 bucket, and domain name in my trial error journey.

Answer 2

Adding an "answer" since I do not have enough reputation to comment..

Thank you for posting your findings, @Oygen87! I ran into this exact issue and it was very tricky to troubleshoot. mTLS is seemingly established, but the gateway execution/stage access logs are never produced, which would signal the request never actually reaches the gateway. I too had many different configurations over the course of my development, and this last one seemingly threw it out of whack. As you mentioned, recreating the Private CA and issuing a new client certificate resolved my problem.

I do want to add that I did my initial testing in Postman, and the error is slightly different than curl. In Postman, this issue presents itself as Error: socket hang up. I did not come across any SO/other posts with this error as it relates to AWS API gateway with mTLS. I'm hoping that by posting here it may surface for others that might run into a similar issue. (Note for those folks, if you try the curl request Postman produces, you'll see the same error as OP).