How to Use AWS API Gateway with Let’s Encrypt

Dennis Bell
Feb 2, 2017 · 2 min read

Lots of people use Let’s Encrypt nowadays, here we show you how combine in with Amazon API Gateway to secure your endpoints.

When you login onto the AWS API Gateway console and go to custom domain names it will present you with a form like this:

Image for post
Image for post

The Problem

AWS API Gateway requires SSL certificates and doesn’t not support Certificate Manager yet.

Note: Certificate Manager support for API Gateway is on the AWS Roadmap.

The Solution

Use Lets Encrypt!

The google/acme project’s README was sufficient to get everything set up, but I’ll walk through the steps.

Install the ACME client
If you have Go installed, you can run go get -u to install it.
Otherwise, download the latest release for your operating system.

Create an account with LetsEncrypt
$ mkdir -p ~/.config/acme
$ openssl genrsa -out ~/.config/acme/account.key 4096
$ acme reg is the ACME contact argument, which is necessary in case the Let’s Encrypt needs to notify you.

Agree to the ACME CA Terms of Service

Check the status of your account with acme whoami and run acme update -accept to accept.

Generate your private key using OpenSSL
openssl genrsa -out your.custom.domain.key 2048

The output will look something like this:
Generating RSA private key, 2048 bit long modulus

This will create a 2048 bit private key inside a file called your.custom.domain.key

Request the certificate
acme cert -k your.custom.domain.key -dns=true your.custom.domain

Note: change your.custom.domain to your domain name.

The DNS flag will use a DNS TXT record to prove that you own the domain (instead of using the .well-known method). You should see output that looks like this:

Add a TXT record for _acme-challenge.your.custom.domain with the value “PlcpEqnjIzhMlDsUKHFhUZx” and press enter after it has propagated.

Don’t press enter (yet!).

Update your DNS records

Login to Route53 or other DNS provider and add the requested DNS record. Once it has propagated, press enter.

Google provides this useful page for checking your DNS records:

You should see something like cert url:, but that doesn’t matter because there will be a file called your.custom.domain.crt in your current working directory.

Add the Custom Domain into API Gateway
Domain name: enter your your.custom.domain
Certificate name: name this something easy to remember, like your custom domain name
Certificate body: copy/paste the first certificate from your.custom.domain.crt
Certificate private key: copy/paste from your.custom.domain.key
Certificate chain: copy/paste the second certificate from your.custom.domain.crt

Note: It’s fine to copy the parts that say — — -BEGIN CERTIFICATE — — — and — — -END CERTIFICATE — — -.

Click the Save button and you should see AWS create the CloudFront distribution for your custom domain.


Techblog of Merapar

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store