Custom Domain/Subdomain - Lambda SSL Error

Hello all, and Happy New Year!

I figured I would post here because I have often come across solutions to my problems on these forums; countless hours of research have led me to a dead-end when attempting to configure the AWS Lambda Function with a custom subdomain. I’ll give a brief overview:

  • I ran this combination of Lambda Function / Alexa Skill perfectly well for two years.
  • I recently built my own pfSense firewall; in breaking my HomeAssistant connection (I created separate VLANs and new networks), I figured this was the ideal time to recreate the Lambda Function and Alexa Skill with my own domain instead of DuckDNS/LetsEncrypt. According to the Requirements section, this is possible.
  • I own a domain hosted under 1-and-1 IONOS and host a subdomain for Home Assistant. We’ll refer to this as[dot]com.
  • I verified that the certificate for this domain/subdomain is signed by an Amazon-approved certificate authority.
    • IONOS signs certificates with Digikey
  • I placed both certs in the SSL directory of HomeAssistant and made the proper entries in the configuration.yaml. After making the appropriate changes to pfSense and the subdomain, I tested the connection from both an external network and a local network device, and both worked using [https://][dot]com. No errors and the app runs smoothly. Great!

TL;DR: I replaced my firewall, gutted DuckDNS, and put my own DDNS with my own subdomain/SSL certs, all working flawlessly.

I moved on to recreate the lambda function using these small changes, and I was met with the following error:

Test Event Name

  "errorMessage": "HTTPSConnectionPool(host='', port=8123): Max retries exceeded with url: /api/alexa/smart_home (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))",
  "errorType": "MaxRetryError",
  "stackTrace": [
    "  File \"/var/task/\", line 65, in lambda_handler\n    body=json.dumps(event).encode('utf-8'),\n",
    "  File \"/var/runtime/urllib3/\", line 79, in request\n    method, url, fields=fields, headers=headers, **urlopen_kw\n",
    "  File \"/var/runtime/urllib3/\", line 170, in request_encode_body\n    return self.urlopen(method, url, **extra_kw)\n",
    "  File \"/var/runtime/urllib3/\", line 375, in urlopen\n    response = conn.urlopen(method, u.request_uri, **kw)\n",
    "  File \"/var/runtime/urllib3/\", line 796, in urlopen\n    **response_kw\n",
    "  File \"/var/runtime/urllib3/\", line 796, in urlopen\n    **response_kw\n",
    "  File \"/var/runtime/urllib3/\", line 796, in urlopen\n    **response_kw\n",
    "  File \"/var/runtime/urllib3/\", line 756, in urlopen\n    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]\n",
    "  File \"/var/runtime/urllib3/util/\", line 574, in increment\n    raise MaxRetryError(_pool, url, error or ResponseError(cause))\n"

It’s an SSL error, stating that it’s unable to get the local issuer certificate. Is there any way to make the local issuer certificate “visible” to the Lambda function? Is there something I’m missing while lost in this sauce?

I will supply any specific details, screenshots, or other necessary information to resolve this. I miss my “Computer” commands! I pray that this message reaches you all well, and hopefully, we can resolve this issue together!

My Home appreciates your Assistance! :wink:

This kind of thing can happen if you don’t use the full chain certificate, which tells clients who signed it - see this article for example.