Matching certificate for VPC-Link HTTPS endpoint in API Gateway

Question

I would like to change my API from HTTP to HTTPs in API Gateway, but get the following error:

Endpoint request headers: {x-amzn-apigateway-api-id=ghqsfz8w25, 
Accept=application/json, User-Agent=AmazonAPIGateway_xxxx, 
Host=xxx-nlb-ecs-service-xxx-xxxcea41.elb.eu-west-1.amazonaws.com, 
X-Amzn-Trace-Id=Root=1-xxx-xxx}
Endpoint request body after transformations: 
Sending request to https://xxx-nlb-ecs-service-xxx-xxxcea41.elb.eu-west-1.amazonaws.com
Execution failed due to configuration error: 
Host name 'vpce-xxx007-xxxb1h.vpce-svc-xxx318ce.eu-west-1.vpce.amazonaws.com' does 
not match the certificate subject provided by the peer (CN=*.domain.eu)
Method completed with status: 500

With the following configuration:

• A wildcard certificate *.domain.eu is used
• The wildcard certificate is assigned to the NLB 443 listener
• The NLB is integrated with vpce-svc-xxx318ce endpoint in VPC Endpoint Services (AWS PrivateLink)
• The wildcard certificate is assigned to the custom domain in API-GW
• The custom domain includes mappings to different APIs (like: api.domain.eu/api1v1, api.domain.eu/api2v1)

The settings of the API method are

• Integration type: VPC link
• VPC link: {VPC link to the NLB}
• Endpoint URL: https://xxx-nlb-ecs-service-xxx-xxxcea41.elb.eu-west-1.amazonaws.com

With HTTP this configuration was working. Now it seems that I need to associate the VPC endpoint with the wildcard certificate. It is my first experience with AWS and I am not a network expert. Any ideas how I can fix this issue.

Thanks in advance!

Answer 1

To make this work

• Use ACM to provision a cert for a private zone you control, e.g. domain.eu
• Create A-Alias record for the NLB, e.g. vpclink-nlb.domain.eu
• Update the NLB listener to use the above cert
• Update the API Gateway Method Integration Endpoint URL to https://vpclink-nlb.domain.eu