Amazon API Gateway returned an error for my API request similar to the following:
"Execution failed due to configuration error: General SSLEngine problem"
Resolution
API Gateway API requests perform an SSL handshake on the backend. Successful API Gateway SSL handshakes must include the following requirements:
A supported CA
The CA must be supported by API Gateway for HTTP, HTTP proxy, and private integrations. To check the CA fingerprint, run the following OpenSSL command for your operating system:
Linux
openssl x509 -in cert.pem -fingerprint -sha256 -noout
openssl x509 -in cert.pem -fingerprint -sha1 -noout
Windows
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]
A valid ACM certificate that isn't expired
To check the expiration date of the certificate, run the following OpenSSL command:
openssl x509 -in certificate.crt -text -noout
In the output, check for the validity timestamp:
Validity
Not Before: Apr 29 12:49:02 2020 GMT
Not After : Apr 29 12:49:02 2021 GMT
In this example output, the certificate is valid on April 29, 2020 and expires after April 29, 2021.
A valid CA certificate
Check the CA certificate configuration by running the following OpenSSL command:
openssl s_client -connect example.com:443 -showcerts
Validate that:
- The subject of the intermediate and certificate matches the issuer of the entity certificate.
- The subject of the root certificate matches the issuers of the intermediate certificate.
- The subject and issuer are the same in the root certificate.
A certificate that doesn't exceed 2048 bits
Check the size of the certificate by running the following OpenSSL command:
openssl x509 -in badssl-com.pem -text -noout | grep -E '(Public-Key):'
Note: The certificate size can't exceed 2048 bits.
If your certificate doesn't meet any of these requirements, first update your private CA. Then, reissue a new certificate using AWS Certificate Manager (ACM).
Related information
Set up API Gateway private integrations