How do I combine AWS API Gateway and Application Load Balancer for HTTPS outside of us-east-1?

Question

I am attempting to route traffic through the AWS API Gateway to my ECS containers running in a private subnet via an Application Load Balancer running in a public subnet. Using plain old HTTP everything works perfectly fine, but now I want to add transport layer security (TLS, fka SSL) to the communication between the gateway and the load balancer. In other words, terminate SSL at the load balancer.

• I've got a custom domain name configured and working on my gateway that was already exposing a HTTPS endpoint.
• I've got a HTTPS listener configured on my load balancer, which scolds me for having a dodgy certificate but if I ignore the warning when I hit it directly I get routed to my service correctly. Thus load balancer routing is correct.
• When I attempt to point the gateway to the balancer it breaks. Furthermore, it seems the I can only use certificates for custom domain names that are in the us-east-1 region. At present they are failing with the following error in CloudWatch (details obscured for privacy).

Execution failed due to configuration error: Host name 'XXXXXXXXX-lb-XXXXXXXXX..elb.amazonaws.com' does not match the certificate subject provided by the peer (CN=)

Given my load balancer is not in the us-east-1 region how can I achieve my goal?

Answer 1

Assign a custom domain name to the load balancer. Then assign a valid SSL certificate to the load balancer using the ACM service. Then reference the load balancer using the custom domain name.