Well, I have a AWS::ApiGateway::RestApi resource that generates always a url like this: https://{GATEWAYID}.execute-api.{REGION}.amazonaws.com/{STAGE}
So, I created I CNAME in Route 53, with the following characteristics:
CnameRoute53Api:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref MyHostedZone
Name: api.privatedomain
Type: CNAME
TTL: 300
ResourceRecords:
- !Sub ${GatewayId}.execute-api.${AWS::Region}.amazonaws.com
DependsOn: MyHostedZone
As you can see I'm creating a CNAME inside my private hostedzone pointing to my gateway. Now I'm trying to make a CURL inside a EC2 in this account:
curl -v https://api.privatedomain
And I got the following error:
url: (51) SSL: no alternative certificate subject name matches target host name 'api.privatedomain'
I understand that SSL certificate is not prepared to accept request from "api.privatedomain". Is there anyway to fix it ? I don't want to buy a custom domain to expose my api to internet, this api will be accessible only inside this account.
As you already observed, you can't do this due to SSL issues. If you don't want to use AWS provided API default domain, you have to buy your own public domain for which you can get free, public SSL certificate using ACM.
But anyway, if you don't want to have public API, why not create private API. At the moment, your private zone will resolve to public API over the internet. Thus its rather counter productive to use private zone for that.
The use of private API, unlike public API, ensures that entire traffic between your instance and the API does not happen over the internet.