How to Use AWS API Gateway with Let’s Encrypt

Lots of people use Let’s Encrypt nowadays, here we show you how combine in with Amazon API Gateway to secure your endpoints.

When you login onto the AWS API Gateway console and go to custom domain names it will present you with a form like this:

The Problem

AWS API Gateway requires SSL certificates and doesn’t not support Certificate Manager yet.

Note: Certificate Manager support for API Gateway is on the AWS Roadmap.

The Solution

Use Lets Encrypt!

The google/acme project’s README was sufficient to get everything set up, but I’ll walk through the steps.

Install the ACME client
If you have Go installed, you can run go get -u to install it.
Otherwise, download the latest release for your operating system.

Create an account with LetsEncrypt
$ mkdir -p ~/.config/acme
$ openssl genrsa -out ~/.config/acme/account.key 4096
$ acme reg is the ACME contact argument, which is necessary in case the Let’s Encrypt needs to notify you.

Agree to the ACME CA Terms of Service

Check the status of your account with acme whoami and run acme update -accept to accept.

Generate your private key using OpenSSL
openssl genrsa -out your.custom.domain.key 2048

The output will look something like this:
Generating RSA private key, 2048 bit long modulus

This will create a 2048 bit private key inside a file called your.custom.domain.key

Request the certificate
acme cert -k your.custom.domain.key -dns=true your.custom.domain

Note: change your.custom.domain to your domain name.

The DNS flag will use a DNS TXT record to prove that you own the domain (instead of using the .well-known method). You should see output that looks like this:

Add a TXT record for _acme-challenge.your.custom.domain with the value “PlcpEqnjIzhMlDsUKHFhUZx” and press enter after it has propagated.

Don’t press enter (yet!).

Update your DNS records

Login to Route53 or other DNS provider and add the requested DNS record. Once it has propagated, press enter.

Google provides this useful page for checking your DNS records:

You should see something like cert url:, but that doesn’t matter because there will be a file called your.custom.domain.crt in your current working directory.

Add the Custom Domain into API Gateway
Domain name: enter your your.custom.domain
Certificate name: name this something easy to remember, like your custom domain name
Certificate body: copy/paste the first certificate from your.custom.domain.crt
Certificate private key: copy/paste from your.custom.domain.key
Certificate chain: copy/paste the second certificate from your.custom.domain.crt

Note: It’s fine to copy the parts that say — — -BEGIN CERTIFICATE — — — and — — -END CERTIFICATE — — -.

Click the Save button and you should see AWS create the CloudFront distribution for your custom domain.