IMPORTANT!: Zappa now supports DNS-based validation out of the box, so you should probably use that if possible!
This guide will show you the slightly convoluted way of running a Zappa website on an API Gateway Custom Domain Name with a free valid SSL certificate via Let's Encrypt with HTTP validation.
First, you should have a valid Zappa website deployed to API Gateway without a domain.
You'll also need to install Let's Encrypt via git:
$ git clone
$ cd letsencrypt
and localtunnel via npm:
$ npm install -g localtunnel
In one terminal, run:
./letsencrypt-auto certonly -d --manual
Hit 'Yes' until you get to a message like this:
Make sure your web server displays the following content at before continuing:
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" OJkbegIsNpnowA_xql_kqpl8hBImj9WbM88fDF35wBE.Dowxk8snnt2LxVZS3XS433FYr2xtYZ0RaBcpaEXqmdc > .well-known/acme-challenge/OJkbegIsNpnowA_xql_kqpl8hBImj9WbM88fDF35wBE
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
Press ENTER to continue
Next, in another terminal, run the command it gave you as root.
sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
In a third terminal, run the following command (make sure firewall is off or allow port 80 through):
lt --port 80 --subdomain yoursub
Then, in a browser, visit and make sure that your challenge value is there.
Next, point your DNS server's CNAME value to be "". Wait five minutes for this to propate, then visit and confirm that this is working.
Then, in the first terminal, press ENTER and your certificate will be generated. You can find all of the keys and certificates in /etc/letsencrypt/live/
In the AWS API Gateway console, visit the custom domains page. Press 'create' and fill in your values from your /etc/letsencrypt/live/ directory.
| value | AWS API Gateway Custom Domain Name Setting field |
| --- | --- | --- |
| Domain name |
| Certificate name |
| privkey.pem
| Certificate private key |
| cert.pem
| Certificate body |
| fullchain.pem
| Certificate chain. Note: only copy the 2nd part of the chain because the 1st part is the Certificate body, already provided.
Finally, press 'Save' and your domain with a free valid SSL certificate will be live! Update your domain DNS CNAME to point to API Gateway domain. Also, this certificate will expire after 90 days, remember to re-generate it!