esp32 using WiFiClientSecure and AWS api gateway client certificate, fail to connect to server

i am using an esp32 with the WiFiClientSecure library to make a GET request to my AWS api gateway url (https://x.......g.execute-api.eu-west-1.amazonaws.com/v1/esp32). i am using an api gateway issued client certificate containing PEM-encoded public key.

it fails connecting to server when using the settings (though it appears that the certificate validates - see debug message below) as per my code below but works with the www.howsmyssl.com example.

here's my code (the relevant bits):

#include <Arduino.h>
#include <WiFiClientSecure.h>

const char *server = "x.......g.execute-api.eu-west-1.amazonaws.com";

void setup() {

....after connecting to wifi
client.setCertificate(api_gateway_test_root_ca); // my api gateway certificate containing PEM-encoded public key - i assume it works as in debug states Certificate verified

Serial.println("\nStarting connection to server...");
  if (!client.connect(server, 443))
    Serial.println("Connection failed!");
  else
  {
    Serial.println("Connected to server!");
    client.println("GET https://x......g.execute-api.eu-west-1.amazonaws.com/v1/esp32?param1=solly&param2=molly&param3=folly&param4=zolly");
    client.println("Host: x......g.execute-api.eu-west-1.amazonaws.com");

    client.println("Connection: close");
    client.println();

    while (client.connected())
    {
      String line = client.readStringUntil('\n');
      if (line == "\r")
      {
        Serial.println("headers received");
        break;
      }
    }
    // if there are incoming bytes available
    // from the server, read them and print them:
    while (client.available())
    {
      char c = client.read();
      Serial.write(c);
    }

    client.stop();

    }
}

void loop() {
}

and here's the debug message:

after connecting to wifi, it tries connecting to server...

Starting connection to server...

[V][ssl_client.cpp:56] start_ssl_client(): Free internal heap before TLS 265288

[V][ssl_client.cpp:58] start_ssl_client(): Starting socket

[V][ssl_client.cpp:93] start_ssl_client(): Seeding the random number generator

[V][ssl_client.cpp:102] start_ssl_client(): Setting up the SSL/TLS structure...

[I][ssl_client.cpp:156] start_ssl_client(): WARNING: Use certificates for a more secure communication!

[V][ssl_client.cpp:180] start_ssl_client(): Setting hostname for TLS session...

[V][ssl_client.cpp:195] start_ssl_client(): Performing the SSL/TLS handshake...

[V][ssl_client.cpp:216] start_ssl_client(): Verifying peer X.509 certificate...

[V][ssl_client.cpp:225] start_ssl_client(): Certificate verified.
Guru Meditation Error: Core 1 panic'ed (LoadProhibited). Exception was unhandled.

Core 1 register dump:

PC : 0x400ea714 PS : 0x00060a30 A0 : 0x800e1edd A1 : 0x3ffb1c70

A2 : 0x3ffbaab0 A3 : 0x40084f34 A4 : 0x3ffb8214 A5 : 0x00000000

A6 : 0x00000000 A7 : 0xffffffbc A8 : 0xfefefefe A9 : 0x3ffb1c10

A10 : 0x3ffb80c0 A11 : 0x3ffd7704 A12 : 0x00000000 A13 : 0x00000001

A14 : 0x00060c20 A15 : 0x00000000 SAR : 0x00000004 EXCCAUSE: 0x0000001c

EXCVADDR: 0xfefeff26 LBEG : 0x400014fd LEND : 0x4000150d LCOUNT : 0xfffffffc

Backtrace: 0x400ea714:0x3ffb1c70 0x400e1eda:0x3ffb1c90 0x400d30ab:0x3ffb1cb0 0x400d2811:0x3ffb1f20 0x400d295d:0x3ffb1f50 0x400d18b1:0x3ffb1f70 0x400d4413:0x3ffb1fb0 0x40088b9d:0x3ffb1fd0

Rebooting...

ets Jun 8 2016 00:22:57

rst:0xc (SW_CPU_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)

configsip: 0, SPIWP:0xee

clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00

mode:DIO, clock div:2

load:0x3fff0018,len:4

load:0x3fff001c,len:1044

load:0x40078000,len:8896

load:0x40080400,len:5828

entry 0x400806ac