I've successfully got the api-gw taking to NLB (via VPC Link) then on to ALB then onto my ECS cluster running my apis.
To enable SSL between api-gw and ALB using private certs I've used the insecureSkipVerification tlsconfig. The private certs were created by ACM-PCA in this test.
However, what I want to do is import a private certificate, rather than use an AWS private CA created one. When I do create my own certificate and import it into ACM and attached it to the load balancer, I get an SSL error:
Execution failed due to....PKIX path building failed:...certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
This is the same error when you use a private cert without enabling: insecureSkipVerification.
Is using self managed private CA certs not an option at all with the api-gw?
I had the same issue; in my case the issue was when I imported the custom certificate into ACM I didn't specify Certificate Chain. I was able to use the SSL certificate for the ALB but when integration to API Gateway I was getting the error. After I specified Certificate Chain I was able to use my custom SSL certificate (imported) with API Gateway without issues.
Specify a value for Certificate Chain: