Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All

Cloud-AWS

Troubleshoot wrong certificate returned for API Gateway custom domain names

Why was the wrong certificate returned when invoking my API Gateway custom domain name?

Last updated: 2022-09-29

I tried to make an API request to my Amazon API Gateway custom domain name, but the wrong certificate was returned. How do I fix this?

Short description

There are two types of custom domain names that you can create for API Gateway APIs: Regional or (for REST APIs only) edge-optimized.

For Regional custom domain names, API Gateway creates a Regional domain name. You must set up a DNS record to map the custom domain name to the hostname similar to "d-example.execute-api.<region>.amazonaws.com".

For edge-optimized custom domain names, API Gateway creates an Amazon CloudFront distribution. You must set up a DNS record to map the custom domain name to the CloudFront distribution name similar to "distribution-id.cloudfront.net".

In the following scenario, the SSL certificate *.example.com or www.example.com was uploaded to the custom domain name www.example.com. An API request to www.example.com returns an error similar to the following:

From a browser:

"This server could not prove that it is www.example.com; its security certificate is from *.execute-api.us-east-1.amazonaws.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

From curl:

"curl: (60) SSL: no alternative certificate subject name matches target hostname 'www.example.com'. curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above."

Resolution

Make sure that the CNAME or A record of the custom domain name points to the API Gateway domain name and not to the API Gateway stage URL.

1.    Run the following openssl command to verify that the SSL certificate is returned by the custom domain:

openssl s_client -connect www.example.com:443 -servername www.example.com

Example output:

subject=/CN=*.execute-api.us-east-1.amazonaws.com

2.    Run the following dig command on the custom domain:

dig www.example.com

The dig command output has either a CNAME record pointing to the API Gateway stage URL, or an A record pointing to the IP address.

3.    Check the DNS record for the domain www.example.com with your domain registrar to determine where it's pointing to. If your domain is registered with Amazon Route 53, then see Checking DNS responses from Route 53.

4.    To confirm that the DNS records are mapped correctly, open the API Gateway console. In the navigation pane, choose Custom domain names , and then choose your custom domain.

5.    From Domain details , choose Configuration , and then check the API Gateway domain name . The custom domain name must be mapped to the API Gateway domain name. Regional custom domain names use a prefix similar to "d-example.execute-api.<region>.amazonaws.com". Edge-optimized custom domain names use a prefix similar to "distribution-id.cloudfront.net".

6.    If the CNAME record points to the API Gateway stage URL instead of the API Gateway domain name, update the CNAME record. Change the CNAME record to point to your API Gateway domain name instead of the stage URL. If your custom domain name is registered with a third party, then contact your domain registrar. If your custom domain name is registered with Route 53, then see Editing records.


How can I set up a custom domain name for my API Gateway API?

How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support

Configure a custom domain for API Gateway APIs behind a CloudFront web distribution

How can I configure a custom domain endpoint for multiple API Gateway APIs behind a CloudFront web distribution?

Last updated: 2022-09-28

I want to use an Amazon API Gateway custom domain endpoint behind an Amazon CloudFront web distribution. Then, I want to forward the API request to multiple APIs using base path mapping. How can I do this?

Resolution

Create the custom domain name for your REST API, HTTP API, or WebSocket API

If you haven't already done so, create your custom domain name, and then associate it with two different APIs.

Note: A custom domain name for a WebSocket API can't be mapped to REST APIs or HTTP APIs.

For REST APIs, follow the instructions in Setting up custom domain names for REST APIs.

For HTTP APIs, follow the instructions in Setting up custom domain names for HTTP APIs.

For WebSocket APIs, follow the instructions in Setting up custom domain names for WebSocket APIs.

Note: After a custom domain name is created in API Gateway, you must create or update your DNS provider's resource record to map to your API endpoint. For more information, see Register a domain name.

The example in this article uses a REST API Regional custom domain name setup.

Example API endpoint URLs

https://restapiId1.execute-api.us-west-2.amazonaws.com/example1/home
https://restapiId2.execute-api.us-west-2.amazonaws.com/example2/home

Example custom domain URL (without base path mapping)

https://apigw.customdomain.com/example1/home
https://apigw.customdomain.com/example2/home

Create a CloudFront web distribution

1.    Open the CloudFront console, and then choose Create Distribution .

2.    On the Select a delivery method for your content page, under Web , choose Get Started .

3.    On the Create Distribution page, for Origin Domain , paste your API's custom domain URL similar to the following example:

Origin domain name example

https://apigw.customdomain.com

4. For Origin path , leave it blank . Note: Entering an incorrect base path for origin path when invoking the CloudFront web distribution can result in an error. For example, an unauthorized request error that returns the error "Missing Authentication Token" and a 403 Forbidden response code.

5.    For Minimum Origin SSL Protocol , it's a best practice to choose TLSv1.2 . Don't choose SSLv3 . API Gateway doesn't support the SSLv3 protocol.

6.    For Protocol , choose HTTPS Only . Note: API Gateway doesn't support unencrypted HTTP endpoints. For more information, see Amazon API Gateway FAQs.

7.    (Optional) To forward custom headers to your origin, choose Add header , and enter your Header name and Value . Note: For a list of custom headers that CloudFront can't add, see Custom headers that CloudFront can't add to origin requests.

8.    Choose Create Distribution .

After CloudFront creates your distribution, the value of the Status column for your distribution changes from InProgress to Deployed .

For more information, see Creating a distribution.

Test your CloudFront web distribution

1.    Open the CloudFront console, copy the Domain Name of your web distribution to your clipboard similar to the following example:

Non-custom domain name example

a222222bcdefg5.cloudfront.net

2.    Follow the instructions for Testing a distribution.

A successful test returns a 200 OK response. If you get a 500 server error code, then the web distribution might not be deployed. If you get no response, the CloudFront DNS record hasn't propagated yet.

After the CloudFront distribution is created, your setup is configured as follows:

a222222bcdefg5.cloudfront.net/example1/home --> apigw.customdomain.com/example1/home --> API-1

a222222bcdefg5.cloudfront.net/example2/home --> apigw.customdomain.com/example2/home --> API-2

You are now able to make a request to two APIs from a single CloudFront distribution with your API Gateway custom domain name.

To configure forwarding for incoming authorization headers for your CloudFront web distribution, see How do I set up API Gateway with my own CloudFront distribution?


Choose an endpoint type to set up for an API Gateway API

Working with API mappings for Websocket APIs

Working with API mappings for REST APIs

Working with API mappings for HTTP APIs

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Troubleshoot API Gateway"429 Too Many Requests" or "Limit Exceeded" errors

How can I troubleshoot "429 Too Many Requests" or "Limit Exceeded" errors for my API Gateway API?

Last updated: 2022-09-26

I received "429 Too Many Requests" or "Limit Exceeded" errors when sending requests to my Amazon API Gateway API. How do I troubleshoot these errors?

Short description

API Gateway has account-level quotas, per Region. The throttle quota is 10,000 requests per second (RPS) with an additional burst capacity provided by the token bucket algorithm. The maximum bucket capacity is 5,000 requests per account and Region. API Gateway throttling-related settings are applied in the following order:

  • Per-client or per-method throttling limits that you set for an API stage in a usage plan.
  • Per-method throttling limits that you set for an API stage.
  • Account-level throttling per Region.
  • AWS Regional throttling.

Exceeding the throttling limit or quota returns a "429 Too Many Requests" or "Limit Exceeded" error response.

For more information, see How throttling limit settings are applied in API Gateway.

Resolution

Before you begin, make sure that you have followed the instructions to turn on Amazon CloudWatch Logs for troubleshooting API Gateway. Make sure that you choose ERROR to generate execution logs only for requests to your API that result in an error. Then, view logged API requests and responses using the CloudWatch console.

"429 Too Many Requests" error

Check the rate or burst limit for per-client or per-method throttling limits that you set for the API stage for your usage plan. When the rate or burst limits are exceeded, CloudWatch execution logs an exceeded throttle limit error similar to the following:

(f277a0b4-2bcd-41b3-8e43-4de770663ffb) API Key 
**********************************
F0yrv6 exceeded throttle limit for API
 Stage rohkz08x02/dev: Key throttle limit exceeded for Usage Plan ID 
nnpegc, RestApi rohkz08x02, Stage dev, Resource f646q2, HttpMethod GET. 
Limit: 5.00 Burst: 10

To resolve this error, use retries and an exponential backoff algorithm with jitter, and then resubmit your API request.

For more information, see exponential backoff and jitter.

"Limit Exceeded" error

This error might indicate that the quota limit is exceeded for your API Gateway usage plan. When the quota limit is exceeded, then CloudWatch execution logs an exceeded quota limit error similar to the following:

(7b819c41-e0a0-433a-883e-bc461fd70fd6) API Key 
**********************************
F0yrv6 exceeded quota limit for API 
Stage rohkz08x02/dev: Key quota exhausted for Usage Plan ID nnpegc. Q
Limit: 500 Period: DAY

To resolve this error, follow the instructions to extend the remaining quota.


How do I troubleshoot Lambda function throttling with "Rate exceeded" and 429 "TooManyRequestsException" errors?

How do I find API Gateway REST API errors in my CloudWatch logs?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve certificate expired or "invalid certificate" errors for API Gateway API custom domains

How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

Last updated: 2022-09-23

I set up a custom domain name for my API Gateway API. I received an error that the AWS Certificate Manager (ACM) certificate is expired or "invalid certificate". How can I resolve this error?

Short description

The certificate has expired error occurs when the certificate used for creating the custom domain name is expired.

The "invalid certificate error" occurs because of a mismatched common name (CN) or subject name in the certificate.

Resolution

Expired ACM certificates

If your certificate is expired, you might receive an error similar to the following:

"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]"
To check the certificate expiry, run the OpenSSL command s_client similar to the following:

openssl s_client -servername <custom domain name> -connect <custom domain name>:443 2>/dev/null | openssl x509 -noout -dates

To renew the certificate, see Managed renewal for ACM certificates.

To avoid expired certificates, see How to monitor expirations of imported certificates in ACM.

Mismatched ACM certificates

If your certificate has a mismached CN or subject name, you might receive an error similar to the following:

"ERR_CERT_COMMON_NAME_INVALID"

Confirm the following settings:

  • The certificate used to create the custom domain name exists in ACM.
  • The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
  • Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.

Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).

Example configuration:

custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com

You can check your configuration by running the dig command on your custom domain similar to the following:

$ dig custom.example.com

How can I resolve DNS resolution or certificate mismatch errors for my API Gateway custom domain name?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Troubleshoot SigV4 signature mismatch errors with IAM authentication for API Gateway

How can I troubleshoot signature mismatch errors when making SigV4 signed requests with IAM authentication to API Gateway?

Last updated: 2022-09-22

The Signature Version 4 (SigV4) signed request to Amazon API Gateway failed with a 403 response and an error similar to the following:

"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method."

How can I troubleshoot this?

Short description

API Gateway API endpoints using AWS Identity and Access Management (IAM) authentication might return 403 errors if:

  • The API request isn't signed and the API request uses IAM authentication.
  • The IAM credentials used to sign the request are incorrect or don't have permissions to invoke the API.
  • The signature of the signed API request doesn't match the signature for the API Gateway API endpoint.
  • The API request header is incorrect.

Resolution

IAM authentication

Make sure that the API request using IAM authentication is signed with SigV4. If the API request isn't signed, then you might receive the following error: “Missing Authentication Token”

IAM credentials

Verify that the authentication credentials for the access key and secret key are correct. If the access key is incorrect, then you might receive the following error: "The security token included in the request is invalid."

Make sure that the IAM entity used to sign the request has execute-api:Invoke permissions. If the IAM entity doesn't have execute-api:Invoke permissions, then you might receive the following error: "User: arn:aws:iam::xxxxxxxxxxxx:user/username is not authorized to perform: execute-api:Invoke on resource"

Signature mismatch

If the secret access key is incorrect, then you might receive the following error: "The request signature we calculated does not match the signature you provided."

The secret access key must match the access key ID in the Credential parameter. For instructions, follow the Send a request to test the authentication settings section in How do I activate IAM authentication for API Gateway REST APIs?

Make sure that you followed the instructions for the SigV4 signing process. If any values in the signature calculation are incorrect, then you might receive the following error: "The request signature we calculated does not match the signature you provided."

When API Gateway receives a signed request, it recalculates the signature. If there are differences in the values, then API Gateway gets a different signature. Compare the canonical request and string to your signed request with the value in the error message. Modify the signing process if there are any differences.

Example canonical request:

GET                                                      -------- HTTP method
/                                                        -------- Path. For API stage endpoint, it should be /{stage-name}/{resource-path}
                                                         -------- Query string key-value pair. Leave it blank if the request doesn't have any query string
content-type:application/json                            -------- header key-value pair. One header per line
host:0123456789.execute-api.us-east-1.amazonaws.com      -------- host and x-amz-data are required headers for all signed request                       
x-amz-date:20220806T024003Z                              

content-type;host;x-amz-date                             -------- A list of signed headers
d167e99c53f15b0c105101d468ae35a3dc9187839ca081095e340f3649a04501        -------- hash of the payload

Example canonical error response:

<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The canonical string for this request should have been 'GET / Action=ListGroupsForUser&MaxItems=100&UserName=Test&Version=2010-05-08&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential
=AKIAIOSFODNN7EXAMPLE%2F20120223%2Fus-east-1%2Fiam%2Faws4_request&X-Amz-Date=20120223T063000Z&X-Amz-SignedHeaders=host
host:iam.amazonaws.com

host
<hashed-value>'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20120223T063000Z
20120223/us-east-1/iam/aws4_request
<hashed-value>'
</Message>
  </Error>
  <RequestId>4ced6e96-5de8-11e1-aa78-a56908bdf8eb</RequestId>
</ErrorResponse>

Note: For API gateway headers, only the host and x-amz-date headers are required.

API request header

Make sure that the SigV4 authorization header includes the correct credential key similar to the following:

Authorization: AWS4-HMAC-SHA256 
Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, 
SignedHeaders=host;range;x-amz-date,
Signature=example-generated-signature

If the credential key is missing or incorrect, you might receive the following error: “Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter."

Make sure that the SigV4 authorization request also includes the request date using either HTTP Date or the x-amz-date header.

For more information, see Troubleshooting key signing errors and Troubleshooting AWS Signature Version 4 errors.


Examples of the complete Signature Version 4 signing process (Python)

How do I troubleshoot HTTP 403 errors from API Gateway?

Signing AWS requests with Signature Version 4

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve "HTTP 403 Forbidden" errors when invoking API Gateway with an IAM cross-account

How can I resolve "HTTP 403 Forbidden" errors when invoking my API with cross-account IAM authentication for API Gateway?

Last updated: 2022-09-16

I called my Amazon API Gateway API with a cross-account AWS Identity and Access Management (IAM) entity (user or role). I get an "HTTP 403 Forbidden" error. How do I troubleshoot this?

Resolution

REST APIs

For accessing API Gateway REST APIs, turn on IAM authentication for an API method in the API Gateway console. Then, use IAM policies and resource policies to designate permissions for your API's users.

Make sure that the cross-account IAM entity has permissions to invoke the API and is allowed access in the resource policy.

In this example, the REST API for account A 111111111 has IAM authentication enabled. User1 tries to invoke from account B 999999999. User1 in account B has the following IAM policy attached:

}
  ]
    }
      "Resource": "arn:aws:execute-api:us-east-1:111111111:AB12CDEF34/*/*/*"
      ],
        "execute-api:ManageConnections"
        "execute-api:Invoke",
      "Action": [
      "Effect": "Allow",
    {
  "Statement": [
  "Version": "2012-10-17",
{

To allow the IAM user for account B in account A to invoke cross-account access, use a resource policy similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::999999999:user/User1"
      },
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:111111111:AB12CDEF34/stage/*/*"
    }
  ]
}

For more information, see How do I activate IAM authentication for API Gateway REST APIs?

HTTP APIs

For accessing API Gateway HTTP APIs, you can use the sts:AssumeRole API action to assume a role for the HTTP API account. The assumed role provides temporary security credentials that can be used to invoke the HTTP API in another account.

Make sure that the temporary security credentials used to invoke the HTTP API are correct and not expired.

For more information, see How can I provide cross-account IAM authorization for API Gateway HTTP APIs?


API Gateway resource policy examples

Activate IAM authentication for API Gateway Rest APIs

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article