AWS API Gateway SSL: How to Resolve the Certificate Subject Name Mismatch Error

AWS API Gateway SSL: How to Resolve the Certificate Subject Name Mismatch Error

When working with Amazon Web Services (AWS) API Gateway, you might encounter the SSL error: certificate subject name (*.execute-api.ap-south-1.amazonaws.com) does not match target host name ‘custom-domain’. This typically happens when you’re trying to map a custom domain to your AWS API Gateway.

Let’s break down what this error means, why it happens, and how you can resolve it.

What Is an SSL Certificate Subject Name Mismatch Error?

SSL certificates are bound to the exact domain name or names they are intended to secure. The SSL/TLS layer raises a warning if the certificate subject name does not match the target host name. In the context of AWS API Gateway, this can happen when you are using a custom domain name instead of the default one provided by AWS, hence the error message.

Why Does This Error Happen?

API Gateway generates a default URL in the format {api-id}.execute-api.{region}.amazonaws.com. The SSL certificate for this URL is managed by AWS. When you use a custom domain name, you need to provide a certificate that verifies that you own the domain. If API Gateway cannot match your custom domain name to the certificate subject name, it raises the error.

How to Solve the Certificate Subject Name Mismatch Error?

Let’s go step by step on how to solve this issue:

Step 1: Get an SSL Certificate for Your Custom Domain

The first step is to get an SSL certificate for your custom domain. You can use AWS Certificate Manager (ACM) to create a certificate. Request a public certificate, add your domain name, and validate the ownership of your domain.

aws acm request-certificate --domain-name your-custom-domain.com --validation-method DNS --region your-region-name

Step 2: Validate Your Certificate

After you’ve requested your certificate, the next step is to validate it. AWS ACM will provide DNS records that you’ll need to add to your Domain Name System (DNS) configuration.

Step 3: Add the Custom Domain to API Gateway

Once your certificate is validated, you can add your custom domain to API Gateway.

aws apigateway create-domain-name --domain-name your-custom-domain.com --certificate-arn your-certificate-arn --region your-region-name

Here, replace your-certificate-arn with the ARN of the validated certificate.

Step 4: Create a Base Path Mapping

The final step is to create a base path mapping to connect your custom domain to your API.

aws apigateway create-base-path-mapping --domain-name your-custom-domain.com --rest-api-id your-api-id --stage your-stage-name --region your-region-name

In the above command, replace your-api-id and your-stage-name with your API ID and stage name respectively.

Step 5: Update Your DNS Configuration

Update your DNS configuration to point your custom domain to the API Gateway. API Gateway provides a Target Domain Name when you create a custom domain. Use this Target Domain Name to create a CNAME record in your DNS configuration.

Conclusion

In conclusion, the SSL certificate subject name mismatch error occurs when the custom domain name you’re trying to map to your AWS API Gateway does not match the certificate subject name. You can resolve this error by getting a validated SSL certificate for your custom domain and correctly mapping your custom domain to your API. By following the steps outlined above, you can seamlessly transition from using the default API Gateway URL to your custom domain name.

Remember, while working with AWS services, it’s essential to adhere to best practices for security, including properly managing and validating your SSL certificates.

About Saturn Cloud

Saturn Cloud is your all-in-one solution for data science & ML development, deployment, and data pipelines in the cloud. Spin up a notebook with 4TB of RAM, add a GPU, connect to a distributed cluster of workers, and more. Join today and get 150 hours of free compute per month.